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About This Guide 


Welcome to Qualys Cloud Platform and security scanning in the Cloud! We'll help you get 
acquainted with the Qualys solutions for scanning your Cloud IT infrastructure using the 
Qualys Cloud Security Platform. 


About Qualys 


Qualys, Inc. (NASDAQ: QLYS) is a pioneer and leading provider of cloud-based security and 
compliance solutions. The Qualys Cloud Platform and its integrated apps help businesses 
simplify security operations and lower the cost of compliance by delivering critical 
security intelligence on demand and automating the full spectrum of auditing, 
compliance and protection for IT systems and web applications. 


Founded in 1999, Qualys has established strategic partnerships with leading managed 
service providers and consulting organizations including Accenture, BT, Cognizant 
Technology Solutions, Deutsche Telekom, Fujitsu, HCL, HP Enterprise, IBM, Infosys, NTT, 
Optiv, SecureWorks, Tata Communications, Verizon and Wipro. The company is also a 
founding member of the Cloud Security Alliance (CSA). For more information, please visit 
www.qualys.com 


Qualys Support 


Qualys is committed to providing you with the most thorough support. Through online 
documentation, telephone help, and direct email support, Qualys ensures that your 
questions are answered in the fastest time possible. We support you 7 days a week, 

24 hours a day. Access support information at www.qualys.com/support/ 
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Introduction 


Welcome to Qualys Cloud Platform that brings you solutions for securing your Cloud IT 
Infrastructure as well as your traditional IT infrastructure. In this guide we'll be talking 
about securing your assets in Microsoft Azure infrastructure using Qualys. 


Qualys Integrated Security Platform 


With Qualys Cloud Platform you get a single view of your security and compliance - in real 
time. If you’re new to Qualys we recommend you to visit the Qualys Cloud Platform web 
page to know more about our cloud platform. 


CLOUD / CONTAINER 


@ ASSET MANAGEMENT O IT SECURITY e COMPLIANCE © ee @ , WEB APP SECURITY 
Global AssetView - Vulnerability Management, Policy Compliance Cloud Inventory Web App Scanning 
It’s Free! Unlimited Assets Detection & Response - Most 
Popular 
Security Configuration Cloud Security Assessment Web App Firewall 
CyberSecurity Asset Assessment 
Management - New Threat Protection 


Container Security 
PCI Compliance 
Certificate Inventory Continuous Monitoring 


File Integrity Monitoring 
Patch Management 


Security Assessment 
Endpoint Detection & Questionnaire 
Response - New 
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Azure Cloud Terminologies 


Microsoft Azure - The Microsoft cloud platform, a growing collection of integrated services 
including Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) offerings. 
Learn more 


Azure Resource Manager - Azure Resource Manager enables you to work with the 
resources in your infrastructure solution as a group. You can deploy, update, or delete all 
the resources for your solution in a single, coordinated operation. You use a template for 
deployment and that template can work for different environments such as testing, 
staging, and production. Learn more 


Resource Group - A container that holds related resources for an Azure solution. The 
resource group can include all the resources for the solution, or only those resources that 
you want to manage as a group. You decide how you want to allocate resources to 
resource groups based on what makes the most sense for your organization. Learn more 


Resource Manager Template - A JavaScript Object Notation (JSON) file that defines one or 
more resources to deploy to a resource group. It also defines the dependencies between 
the deployed resources. The template can be used to deploy the resources consistently 
and repeatedly. Learn more 


Microsoft Azure Cloud Computing Terms - Microsoft Azure portal has a dictionary of 
common cloud computing terms relevant to their cloud based services. This is especially 
useful if you are new to Microsoft Azure. Learn more 


Securing Azure Essentials - laaS and PaaS 


Qualys integrates with Microsoft Azure Resource Manager (ARM) to discover assets using a 
Microsoft ARM API. This integration automatically detects and synchronizes changes to 
virtual machine instance inventories within Azure Cloud Platform. Virtual machines are 
tracked by virtual machine Id within Qualys even as their IP addresses change over time. 


Pre-requisites 


- Qualys Applications: Vulnerability Management (VM), Policy Compliance (PC) or 
Security Configuration Assessment (SCA), Cloud Agent (CA) 


- Qualys Sensors: Virtual Scanner Appliances, Cloud Agents, as desired 


- Qualys Virtual Scanner Appliance: Virtual machine must be able to reach the Qualys 
Cloud Platform over HTTPS port 443 


- Scanner personalization code (14 digits) used to deploy Virtual Scanner Appliance: 
This is obtained from your Qualys account as described in Add New Virtual Scanner in 
Qualys 


- Qualys user account: Must have Manager or Unit Manager role 
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It’s easy to get started 


Introduction 


You might already be familiar with Qualys Cloud Suite, its features and user interface. 
Here are the links to video libraries - 


Vulnerability Management 


Policy Compliance 


CloudView 


Web Application Scanning 


Cloud Agent 


Integrate Qualys into Azure Security Center 


Here are the links for some helpful resources - 


Qualys Training | Free self paced classes, video series, online classes 
Qualys Documentation | Getting started guides, quick references, API docs 


Qualys Community | Learn from the Project Managers, Subject Matter 
Experts and other Qualys customers 


Qualys Blog | Get latest updates and Helpful hints 


Quick Steps: Securing Azure 
Here's the user flow for securing Azure using Qualys. 


90000600086 


Automate Asset Inventory 
Sync inventory and metadata for an Azure virtual machine by setting up AssetView Azure Connector 


Design Sensor Deployment Strategies 
Analyze Environment and deployment strategies for Cloud Agent and Virtual Scanner Appliance 


Deploy Sensors 
Install Scanner Appliance and/or Cloud Agents 


Scan Assets 
Launch scans targeting all assets or specific assets you're interested in 


Analyze, Report & Remediate 
View dynamic dashboards, create custom widgets and run reports 


Cloud Inventory and Security Assessment 
Continuously inventory and assess your Azure cloud workloads 


Securing Containers 
Identify Container Hosts, Registries, and CICD Pipelines and Deploy Container Sensors 


Securing Web Applications 
Configure Qualys Web Application Scanning to scan your applications 
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Automate Asset Inventory 


Deploying Azure Connector 


Configure Microsoft Azure connectors for gathering resource information from your 
Microsoft Azure account. You can create Azure Connector from AssetView and CloudView 
which is explained after pre-requisites. It just takes a couple of minutes. 


Let us see what permissions are needed to create Azure connector. 


Pre-requisites 
Before you create an Azure connector, ensure that you have the following permissions: 


- Assign Azure Active Directory permissions to register an application with your Azure 
Active Directory 


- Checking Azure Subscription Permissions to assign the application to a role in your 
Azure subscription 


Assign Azure Active Directory permissions 


Navigate to Azure Active 

A Directory > User Settings and 

Create a rescuce qualys-azure then ensure that the App 

Al senos «| Ase x registrations are allowed for your 
Azure subscription. 


Enterprise applications 
Dashboard 7 


Manage how end users launch and view their applications 


If you Azure subscriptions has 
the app registrations setting set 
to No, you need to check 
whether your account is an 
Administration portal admin or user for the Azure AD 
account. 


All resources 
Resource groups App registrations 


App Services A D | 


Function Apps 


® sai databases 


@® Azure Cosmos DB 5 o 


Virtual machines 


To check if your account is an 


Load balancers External users 


Tse cl ce ling admin, go to Overview and look 
at your user information. 


Storage accounts 
Virtual networks 1 gaer Së Access panel 
Y Azure Active Directory 


Monitor 


Advisor A? Swit 


Security Center 
azure.qualys.com 


qualys-azure 


Azure AD Free 


2) Cost Management + Billing 


Sign-ins Your role 
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If your account is assigned to the User role, but the app registration setting is restricted to 
admin users, you are not permitted to register new apps. In such case, ask your 
administrator to either assign you to the global administrator role, or to enable users to 
register apps. 


Checking Azure Subscription Permissions 


n your azure subscription, your account must have Owner access role to assign an AD 
app to a reader role. If your account is assigned to the Contributor role, you do not have 
adequate permissions and receives an error when attempting to assign the service 
principal to a role. 


To know the role assigned to you, select your account (refer image) and select My 
permissions. From the Subscription drop-down list, select the subscription for which you 
would want to check permissions and then click the “Click here to view complete access 
details for this subscription” link. 


QUALYS-AZURE “Gp 


Change password g 
E 


My contact information 


My permissions 
Submit an idea 
View my bill 

Switch Directory 


Click here to view complete access details for this subscription 


Creating Azure Connector with AssetView 


1) Login to the Qualys Cloud Platform and pick the AssetView app. Go to Connectors > 
Azure tab, select Create Azure Connector and our wizard walks you through the steps. 


Tip - We recommend you create at least one generic asset tag (for example, Azure) 
and let the connector automatically apply that tag to all imported assets. You can 
add more tags to your Azure assets based upon the discovered Azure metadata. 


2) Enter a name and description (optional) for your connector. 
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3) Select the account type: Global or GovCloud. You can choose only one account type per 
connector. 


Create Azure Connector Launch help % 
Step 1 of 3 A Connector Details 
@® Connector Details y Name* (*) REQUIRED FIELDS 
Qualys_Azure_Connector 
2 Tags and Activation Description 
Review 
Select Account Type 
©) Global GovCloud 
Account Type 
Set up Authentication Details 
Create an application in active directory and provide reader role access to the subscription. 
Application ID 
Directory ID 
quays2ii55 
Authentication Key 
ceecccccccess 
Subscription ID 
ac) 


Set up Authentication Details and copy/paste the authentication details into the form. 


4 
5) Configure the asset tags in Tags and Activation for scanning if you plan to use a pre- 
authorized scanner appliance.. 

6) Click Create Connector. 


That's it! The connector establishes a connection with Microsoft Azure to start scanning 
Microsoft Azure resources for security issues using the Qualys Cloud Platform. 
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Set up Authentication Details 


This section helps you to gather the parameters required to create Azure Connector. 


Create Application and get Application ID, Directory ID 
Create application in Azure Active Directory and you can then note the application ID. 


1) Log on to the Microsoft Azure console and press Azure Active Directory in the left 
navigation pane. 


Microsoft Azure Search resources, services, and docs 


Home > Qualys, Inc. - App registrations 
Create a resource E Qualys, Inc. - App registrations 


Home 
ears « ® Endpoints 


Dashboard 
© ovenie i) Welcome to the new and improved 
All services NEVIE 


FAVORITES u Getting started AX Looking to learn how it's change! 
Still want to use App registration 
All resources Manage 


Resource groups Š Users All applications Owned applica 
Lé App Services om Groups O Start typing a name or Application ID 
Sé SQL databases {È Organizational relationsh DISPLAY NAME 
@ Azure Cosmos DB lá Roles and administrators DN Demo Application 
BI Virtual machines IR Enterprise applications 
@ Load balancers B Devices 
BS Storage accounts 
Virtual networks iE App registrations (Legacy) 


® Azure Active Directory [£) Identity Governance 


E Monitor 


NO 


Click App Registrations > New registration. 


LA) 


Provide the following details: 
- Name: A name for the application (For example, My_Azure_Connector) 


- Supported account types: Select Accounts in any organizational directory. 


4) Click Register. The newly created application is displayed with its properties. Copy the 
Application (client) ID and Directory (tenant) ID and paste it into the connector details. 


Home > Qualys, Inc. - App registrations > My Azure Connector 


SS My Azure Connector xe xX 


Ú Delete $) Endpoints 


nc Display name Supported account types 
werview My Azure Connector Multiple organizations 


dà Quickstart Application (client) ID Redirect URIs 
ee261a8d-bed3-4564-2830-9d88df5ba2e9 Add a Redirect URI 
Manage ant) ID Ma lication in local director 
/a98-4b00-8862-8952603bc029 My Azure Connector 
ER Branding -— 
D Authentication 221a4946-7205-46d3-811d-69839703ed51 
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Generate Authentication Key 


Provide permission to the new application to access the Windows Azure Service 
Management API and create a secret key. 


1) Select the application that you created and go to API permissions > Add a permission. 


2) Select Azure Service Management API in Microsoft APIs for Request API permissions. 


Home > - App registrations > My Azure Connector - API permissions Request API permissions 
-æ My Azure Connector - API permissions 
Select an API 
D Search (Ctrl+/) o | Microsoft APIs | APIs my organization uses My APIs 
API permissions — 
iE Overview Applications are authorized to use APIs by requesti Commonly used Microsoft APIs 


grant/deny access. 


dà Quickstart A 
icrosoft Grap! 
(+ Adda permission |) Es FA E 
Manage e Take advantage of the tremendous amount of data in Office 365, Enterprise Mobility + E 
A Security, and Windows 10. Access Azure AD, Excel, Intune, Outlook/Exchange, OneDrive, E e D 
E Branding OneNote, SharePoint, Planner, and more through a single endpoint. & 
e Y Microsoft Graph (1 
D Authentication ee w 
User R j 
% Certificates & secrets a OH Azure DevOps ee UA, Azure Service Management 
> API permissions _) These are the permissions that this application regt Integrate with Azure DevOps and Azure Allow validated users to read and write Programmatic access to much of the 
able permissions dynamically through code. See bi DevOps server protected content functionality available through the Azure 
@ Expose an API portal 
E Owners 
EM Manifest Grant consent EZ Azure storage pats ports oe Dynamics 365 Business Central 
To consent to permissions that require admin const Secure, massively scalable object and Export data from Microsoft Dynamics Programmatic access to data and 
Support + Troubleshooting directory. data lake storage for unstructured and CRM organization to an external functionality in Dynamics 365 Business 


semi-structured data destination Central 
X Troubleshooting 


3) Select user impersonation permission and click Add permissions. 


Request API permissions > 


< All APIs 


Azure Service Management 
A https://management.azure.com/ Docs [Z 


What type of permissions does your application require? 


Delegated permissions Application permissions 
Your application needs to access the API as the signed-in user. ound service or daemon without a 
Select permissions expand all 
RS d 
| Type to search | 
PERMISSION ADMIN CONSENT REQUIRED 


Access Azure Service Management as organization users (preview) @ 


E D user_impersonation 


( Add permissions 


4) Select the application that you created and go to Certificates and Secrets > New client 
secret. 
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5) Add a description and expiry duration for the secret key (recommended: Never) and 
click Add. 


Home > - App registrations > My Azure Connector - Certificates & secrets 
? My Azure Connector - Certificates & secrets RX 
e e = « . 
P Search (Ctrl+/) Add a client secret 
iE Overview 
Description 
de Quickstart Type a description for the secret key 
Manage Expires 
(©) In 1 year 
Gi Branding 


D Authentication 


"7 Certificates & secrets 
> API permissions Qs E 


rumora ainni uae carnea 


@ Expose an API 
BE Owners 
D Manifest Client secrets 


A secret string that the application uses to prove its identity when requesting a token. Also can be referred to as 
application password. 


EN LU + New client secret _| 
E, | 


2 New support request 


Support + Troubleshooting 


DESCRIPTION EXPIRES VALUE 


No client secrets have been created for this application. 


6) The value of the key appears in the Value field. 


Copy the key value at this time. You won’t be able to retrieve it later. Paste the 
key value as Authentication Key into the connector details. You need to provide 
the key value with the application ID to log on as the application. Store the key 
value where your application can retrieve it. 
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Acquiring Subscription ID 


Grant permission for the application to access subscriptions. Assign a role to the new 
application. The role you assign defines the permissions for the new application to access 
subscriptions. 


1) On the Azure portal, navigate to Subscriptions. 


Microsoft Azure D Search resources, services, and docs 


All services 


o 


Create a resource 


Home 


Everything GENERAL (15) 
Dashboard sal BE all resources 
All services 

Compute © Recent 
FAVORITES g 

Networking 


(tx) Management groups 


Storage 
? Subscriptions 
Web 


Mobile ($%) Resource groups 


All resources 


# Resource groups 


KS App Services 


2) - Select the subscription for which you want to grant permission to the application and 
note the subscription ID. To grant permission to the application you created, choose 
Access Control (IAM). 


3) Go to Add > Add a role assignment. Pick a Reader role. A Reader can view everything, 
but cannot make any changes to the resources of a subscription. 


Note: You need to assign the Reader role if the same application is used in AssetView and 
CloudView module. If the application usage is limited to only AssetView module (and not 
in CloudView module), you need to have at least below permissions on the built-in or 
custom role assigned to the subscription. 


- "Microsoft.Compute/virtualMachines/read”, 

- "Microsoft.Resources/subscriptions/resourceGroups/read", 
- "Microsoft.Network/networkInterfaces/read", 

- "Microsoft.Network/publicIPAddresses/read", 


- "Microsoft.Network/virtualNetworks/read", 


- "Microsoft.Network/networkSecurityGroups/read" 


4) Select Azure AD user, group, or application in Assign Access to drop-down. 
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5) Type the application name in Select drop-down and select the application you created. 


e0 
Reader v 
Assign access to O) 
Azure AD user, group, or application v 
Select O 


Azure connector Y 


Selected members: 


Azure connector 
A Remove 


= 


6) Click Save to finish assigning the role. You'll see your application in the list of users 
assigned to a role for that scope. 


7) Copy the subscription ID you noted and paste it into the connector details in the Qualys 
Azure Connector screen and then click Create Connector. 


How Does Azure Connector Work? 


Asset Discovery: The Azure connector performs asset discovery for your cloud with its 
continuous synchronization mechanism. The connector synchronizes every 4 hours with 
the Azure account and pulls in all virtual machines (After the connector run, if a virtual 
machine is found as terminated, connector stores such virtual machine with “DELETED” 
state.). 


Azure retains the terminated virtual machines for only about 15 minutes. However, 
Qualys retains record and details of all the terminated virtual machines. 


Synchronization of Assets: Adds the assets to your Qualys account. Except for assets with 
errors (as such assets are dropped off), all other assets are added to the Qualys account. 


16 


Securing Microsoft Azure with Qualys 
Automate Asset Inventory 


Viewing Imported Assets 


© Qualys. Enterprise 


| AssetView v 


Help»  DemoLoginy Logout | 


Dashboard Assets Templates Connectors 


ee 
zez Connector Management AWS AZURE 
Filter Results | create Azure Connector ` | Toggle Filters 
Name 
Name Subscription ID Last Syne " Errors 
A] (0) = Azure-Qualys-Demo iv Crete so ll 25 minutes ago E, 

= E 

State E CV360-Engg2 26 minutes ago 
Edit 

cuenca © @© Qualys Azure Demo Delete an hour ago 
© Synchronizing © ©  Ousts Solutions Architects BEER 4 hours ago 
E) Completed successfully o E 


a Azure GovCloud PMSA ] 4 hours ago 
[E Completed with errors She Assets 3 


The Azure connector starts pulling the virtual machines once you finish the connector 
creation. Let’s check out the different information we display once the connector run is 
complete. 


@ Asset Count - The Asset count column shows the assets discovered and 
synchronized in the latest Azure connector run. 


e Synchronized Assets - In the Asset count column, the green portion represents 
assets synchronized. Synchronized count represents assets that are successfully 
processed at Qualys. 


e Show Assets - Total count of assets discovered by the connector over its span of 
time. 


Assets with Error - The Asset count column may also show a portion in red which 
represents assets with errors. Assets with errors are those which have encountered issues 
while being processed at Qualys. 
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You can view the assets that are collected by connector by navigating to AssetView. The 
Azure VM Information tab of Asset details page displays the Azure instance metadata 
collected. Here is the sample screen shot that displays the information we collect. 


testvmss m 
View Mode Azure VM Information 
Asset Summary 
General: 
System Information 
VM ID: 
Agent Summary VM Name: testvmss 
Platform (OS Type). Windows 
Network Information Size: Standard_DS1_v2 


Image Offer WindowsServer 
Open Ports Image Publisher:  MicrosoftWindowsServer 
Image Version 17763.805.1910061628 
Installed Software 
Subscription ID: 


Vulnerabilities Escaño cae 
Resource Group AJM-Testing 
Name 


VM State: RUNNING 


Threat Protection RTIs 


Compliance Network: 


Fae nears Monitoring Private IP Address. 172.16.2.4 
Public IP Address: 40.117.182.247 
MACAddress: 000D3A8B612F 
Alert Notifications Subnet 1721620 


Azure VM Information ACES NN JADE 


Patch Management 


Indication of Compromise 


Close 


Once the Azure virtual machines are discovered, you are ready to start scanning and 
securing your Microsoft Azure infrastructure! 


Azure Metadata 


This section provides information on cloud provider metadata provided by Qualys Cloud 
Agent, AssetView Connector and Qualys Scanner 

AssetView Connector € Qualys Cloud Agent Metadata 
General: 

- VM ID (compute.vmld) 

- VM Name(compute.name) 

- Platform /OS Type (compute.osType) 

- Size (compute.vmSize) 

- Image Offer (compute.offer) 

- Image Publisher (compute.publisher) 

- Image Version (compute.version) 

- Subscription ID (compute.subscriptionId) 

- Location (compute.location) 


- Resource Group Name (compute.resourceGroupName) 
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- VM State (Only Running for QCA data collection) 


Network: 
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- Private IP Address (network.interface.ipv4.ipaddress.privatelpAddress) 


- Public IP Address (network.interface.ipv4.ipaddress.publicIpAddress) 


- MAC Address (network.interface.macAddres) 


- Subnet (network.interface.ipv4.subnet.address) 


Azure VM Tags: 
- LifeCycle (compute.tags) 


- Owner (compute.tags) 


- Department (compute.tags) 


TAM-Demo-VM-05 


View Mode Azure VM Information 
Asset Summary VM ID: 
VM Name: TAM-Demo-VM-05 
O on Platform (OS Type): Linux 
Agent Summary Size Standard_B1s 
Image Offer: CentOS 
Network Information Image Publisher. OpenLogic 


Image Version 
Gees Subscription ID. 
Installed Software Location 

Resource Group 


Vulnerabilities Name 
VM State: 
Threat Protection RTls 
Network: 
Compliance 
Private IP Address: 
File Integrity Monitoring Public IP Address: 
MAC Address 
Indication of Compromise Subnet 
Alert Notifications Azure VM Tags: 
Owner 
Patch Management 
Department 


Close 


Scanner Metadata 


7.2.20170517 


RUNNING 


10.0.1.0 


05152020 


Product Management 


Scanner metadata for authenticated scans on Azure Linux virtual machine- QID 45389 


Computer: 
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- azEnvironment 
- location 
- name 
- offer 
- osType 
- placementGroupld plan 
-name 
- product 
- publisher 
- platformFaultDomain 
- platformUpdateDomain 
- providerpublicKeys 
- keyData 
- path 
- publisher 
- resourceGroupName 
- sku 
- subscriptionld 
- tags 
- version 
- vmld 
- vmScaleSetName 
- vmSize 
- zone 
Network Interface ipv4: 
- ipAddress 
- privatelpAddress 
- publicIpAddress 
- subnet 
- address 


- prefix 
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Network Interface ipv6: 
- ipAddress 


- macAddress 


Azure APIs Used by Azure Connector to Discover Assets 


Qualys uses Azure APIs to get all resource groups for a subscription and list all virtual 
machines for the specified resource group. 


Resource Groups - List 


https://docs.microsoft.com/en-us/rest/api/resources/resourcegroups/list 


Virtual Machines - List 


https://docs.microsoft.com/en-us/rest/api/compute/virtualmachines/list 


Qualys APIs for Azure Connectors 


You can perform various Azure connector operations through API as well. For detailed 
information on using Qualys APIs related to Azure, see the Asset Management and 
Tagging API v2 User Guide. 


Here are some useful Azure connector APIs: 


Create Azure Connector 
https://qualysapi.qualys.com/qps/rest/2.0/create/am/azureassetdataconnector 


Get Host Asset Info (get the metadata of an Azure instance) 
https://qualysapi.qualys.com/qps/rest/2.0/get/am/hostasset/<id> 
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Scanning in Azure Environments 


Let us get familiar with few terms in networking basics. 


VNet: An Azure Virtual Network (VNet) is a representation of your own network in the 
cloud. It is a logical isolation of the Azure cloud dedicated to your subscription. Each VNet 
you create has its own CIDR block and can be linked to other VNets and on-premises 
networks as long as the CIDR blocks do not overlap. 


VNet peering: A mechanism that connects two virtual networks (VNets) in the same 
and/or different region through the Azure backbone network. Once peered, the two virtual 
networks appear as one for all connectivity purposes. 


Single VNet Single Region 


Scanners need to be configured to communicate to Qualys Cloud Platform over https (via 
Network security groups and proper routing). 


Qualys Cloud 
Platform 


Westus | 
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Single VNet Single Region Multiple Scanners 


Based on number of virtual machines and scan frequency, multiple scanners might be 
required to scan multiple machines in a VNet. You can add more scanners based on 
requirements, 


Scanners needs to be configured to communicate to the Qualys Cloud Platform over https 
(via Network security groups and proper routing). 


Qualys Cloud 
Platform 


Westus | 
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Multiple VNet Single Region 


A single Scanner can reach multiple virtual machines in a peered VNets. Based on number 
of machines and scan frequency, multiple scanners might be required to scan multiple 
virtual machines across Peered VNets in a region. 


Scanners needs to be configured to communicate to the Qualys Cloud Platform over https 
(via Network security groups and proper routing). 


Qualys Cloud 
Platform 


net Peering 


Westus 


24 


Securing Microsoft Azure with Qualys 
Scanning in Azure Environments 


Multiple VNet Multiple Region 


Azure allows peering of VNets across region hence a single scanner can reach virtual 
machines in different VNets in different regions. Based on number of machines and scan 
frequency, multiple scanners might be required to scan multiple virtual machines across 
Peered VNets in different regions. 


Scanners needs to be configured to communicate to the Qualys Cloud Platform over https 
(via Network security groups and proper routing). 


VNet Peering 


VNet Peering 


CentralUs 


e 


Qualys Cloud Platform 
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Non Peered VNets 


Scanners reachability is curtailed if the VNets are not peered and hence cannot reach the 
virtual machines in non-peered VNets and launch a scan. 


Scanners needs to be configured to communicate to the Qualys Cloud Platform over https 
(via Network security groups and proper routing). 


Net Peering 


CentralUs 


EI 


Qualys Cloud Platform 
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Deploying Sensors 


Qualys sensors, a core service of the Qualys Cloud Platform, make it easy to extend your 
security throughout your global enterprise. These sensors are remotely deployable, 
centrally managed and self-updating. They collect the data and automatically beam it up 
to the Qualys Cloud Platform, which has the computing power to continuously analyze 
and correlate the information in order to help you identify threats and eliminate 
vulnerabilities. 


Prior to scanning, you need to deploy sensors. Depending on your preference, you could 
deploy pre-authorized scanner appliance or Qualys Cloud Agent. Let's go through the 
steps involved in deploying these sensors. 


Deploying Scanners in Azure Platform 


Deploying Scanners in Private Cloud Platform 


Deploying Qualys Cloud Agent 


Virtual Scanner Appliances 
Remote scan across your networks - hosts and applications 


Applications: VM, PC, SCA 


E Cloud Agents 
© Continuous security view and platform for additional security solutions 
am Applications: CA (required), VM, PC, SCA 


Internet Scanners 
Perimeter scan for edge facing IPs and URLs 


Applications: VM, PC, SCA 


Deploying Scanners in Azure Platform 


Cost and Licenses 


Qualys Virtual Scanner Appliance is available as an Image at Azure Marketplace, ready for 
customers to launch onto Azure Virtual Machines. There are two aspects to consider: 


- Qualys costs for the virtual scanner license subscription 
- Azure costs for the computing resources to run the appliance as a virtual machine 


Note: Ensure that you only use the image available at Azure marketplace or the Signed 
URL provided by Qualys for downloadable Azure specific images. Using images 
downloaded from Qualys UI are not recommended to be used on Azure. 
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Qualys Cost 


You need to acquire a Qualys license for each virtual scanner appliance Instance you 
would like to run. This license is acquired from Qualys, not from Azure, and our scanner 
appliances are listed at Azure Marketplace with a BYOL De, “bring your own license”) 
model accordingly. Each Qualys Virtual Scanner Appliance profile that you define in the 
Qualys Cloud Platform UI consumes a single virtual scanner appliance license. If you 
delete a virtual scanner appliance profile from your Qualys subscription, that license is 
freed up and immediately available for re-use. Contact your Qualys technical account 
manager or Qualys reseller for a pricing quotation or to request an evaluation. 


Azure Cost 


For each virtual scanner appliance, virtual machine is launched into one of your own 
Azure Subscriptions. You are responsible for paying Azure for the costs of running the 
appliance. Those costs include: 


- Compute Capacity based upon size 
- Storage - Data transfer IN/OUT 


The compute capacity charges De, CPU, RAM) are overwhelmingly the largest part of the 
costs to run an Instance. Note that you are not required to keep your scanner appliance(s) 
running at all times. Any hours during which your virtual machine is stopped, is incur 
only perGB provisioned storage charges. For those able to spend a little more upfront, 
Azure virtual machines can be reserved in advance by financially committing for one or 
three years to save. However, scanners should be turned on for at least several hours per 
week in order to ensure that they stay up-to-date with software and signatures. 


Deployment Recommendations for Scanners 


Virtual machine size for hosting the scanner 


To host the Qualys Virtual Scanner Appliance, the maximum supported size for a virtual 
machine by Qualys is 16 CPUs and 16 GB RAM. Based on the frequency of scanning, and 
the number of Azure Virtual machines that are being scanned, you can scale up to 16 
CPUs and 16 GB RAM. 


Instance Snapshots/Cloning Not Allowed 


Using a snapshot or clone of a virtual scanner instance to create a new instance is strictly 
prohibited. The new instance does not functions as a scanner. All configuration settings 
and platform registration information will be lost. This could also lead to scans failing and 
errors for the original scanner. 


Moving/Exporting Instance Not Allowed 


Moving or exporting a registered scanner instance from a virtualization platform (HyperV, 
VMware, XenServer) in any file format to Microsoft Azure cloud platform is strictly 
prohibited. This breaks scanner functionality and the scanner permanently loses all of its 
settings. 
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What do | Need? 


The Virtual Scanner option must be turned on for your account. Contact Qualys Support 
or your Technical Account Manager if you would like us to turn on this option for you. 


You must be a Manager or a sub-user with the “Manage virtual scanner appliances” 
permission. This permission may be granted to Unit Managers. Your subscription may be 
configured to allow this permission to be granted to Scanners. 


Deploying Qualys Scanner Appliance 


Extend the reach of the Qualys Cloud Platform to your Microsoft Azure infrastructure by 
deploying a Qualys Virtual Scanner Appliance - using Azure Resource Manager 
deployment. The appliance is a stateless resource that acts as an extension to the Qualys 
Cloud Platform. Once configured, all functionality is managed using your Qualys Cloud 
Platform account. 


Here, we'll describe how to deploy the Qualys Virtual Scanner Appliance using Microsoft 
Azure Resource Manager (ARM) or Resource Manager Templates. This scanner, once 
deployed, functions as a standard Virtual Scanner and can scan based on IP address or 
CIDR block. 


Quick Steps 

Create Resource Group in Azure 

Create Storage Account in Azure 

Create Virtual Network in Azure 

Add New Virtual Scanner in Qualys 

Scanner Configuration in Azure using Resource Manager (ARM) 
Scanner Configuration in Azure using Resource Manager Templates 


Create Resource Group in Azure 


We recommend you create one resource group per location for your Qualys virtual 
scanners. Give your resource group a name that is easy to recognize and represents the 
group location. Once created, the name cannot be changed. 


To learn more about the resource group, visit Azure documentation, 
https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/manage- 
resource-groups-portal. 


Create Storage Account in Azure 


If you do not have a storage account for your Qualys virtual scanners, you'll need to create 
one. 


To learn more about creating storage account, visit Azure documentation, 
https://docs.microsoft.com/en-us/azure/storage/common/storage-account- 
create?tabs=azure-portal. 
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Create Virtual Network in Azure 


If you do not have a virtual network set up for your Qualys virtual scanners, you should 
create one. 


To learn more about creating virtual networks, visit Azure documentation, 
https://docs.microsoft.com/en-us/azure/virtual-network/virtual-networks-overview. 


Add New Virtual Scanner in Qualys 


Create a virtual scanner in the Qualys Cloud Platform, assign it a distinct scanner name 
and record the exact personalization code. 


Select VM/VMDR or PC from the Qualys app picker. Then navigate to Scans > Appliances 
and select New > Virtual Scanner Appliance. 


Dashboard Vulnerabilities Prioritization Scans Reports Remediation 


SECS E E Appliances RE 


| New w | | Search 


Scanner Appliance... 


Curas era] P 


| Replace Scanner Appliance... | Internal network scanning requires a scanner appliance. Add a scanner ap 


a Personalization Code 


| Download... 


Choose “I have My Image” and click Continue. Provide a name and click Next. 


Add New Virtual Scanner x 


Name Your Virtual Scanner 


Virtual Scanner Name 4 
qualys-scanner 
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Add New Virtual Scanner 


Activate Your Virtual Scanner 


Configure your scanner and activate it using the personalization code below. For 
more help, review the configuration guide for step-by-step instructions, 


Virtual Scanner Name 


qualys-scanner 
Personalization Code f=" 


Need help configuring your virtual scanner? 
See How To steps at the Qualys Community 


Enter your personalization code 


After getting Personalization Code, click Check Activation and then click Done on the last 
screen. This completes the steps to create and notifies users about creation of virtual 
scanner appliance. 


Scanner Configuration in Azure using Resource Manager (ARM) 


Find and select Qualys Virtual Scanner Appliance in the Marketplace and click Create to 
deploy the scanner. 


Note: Please only use the Qualys Virtual Scanner Appliance image available on the Azure 
Marketplace or the Signed URL provided by Qualys. Using images downloaded from the 
Qualys UI will not work on Azure Cloud, even with disk format conversions. 


Qualys Virtual Scanner Appliance 


Qualys Virtual Scanner Appliance | © sse iar ix: 


Qualys, Inc. 


| Start with a pre-set configuration 


Want to deploy programmatically? Get started 


Overview Plans 


Extend the reach of the Qualys Cloud Security Platform to your Microsoft Azure infrastructure. 


Qualys Virtual Scanner Appliance helps you get a continuous view of security and compliance putting a spotlight on your Azure Cloud infrastructure. It's a stateless resource 
that acts as an extension to the Qualys Cloud Platform. Once configured, all functionality is managed using your Qualys Cloud Platform account. Learn more 


Requirements: 


e subscription to Qualys Cloud Platform 
e scanner personalization code (14 digits) obtained from your Qualys account 
© Qualys Virtual Scanner Appliance VM must be able to reach the Qualys Cloud Platform over HTTPS port 443 


Enter the following required information and click Next: Disks+Monitoring: 
Subscription 
Resource group: 


To learn more about resource group, visit Azure documentation, 
https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/manage- 
resource-groups-portal. 


Region 
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Scanner VM name: Scanner VM name must be between 1 and 64 characters long and may 
contain alpha-numeric characters, dots '.' and hyphens '-' only. It must start and end with 
alpha-numeric character. 


Perscode: Enter the 14-digit perscode obtained from Qualys. 
VM size: The appliance only supports up to 16 cores and 16GB memory. 
Optional field 


Proxy: You can configure the Qualys Scanner to use SSL proxy for all outbound 
communication with the Qualys Cloud Platform. We support both IP and FQDN for the 
proxy server configuration. 


Provide optional proxy configuration in one of the following formats: 
proxy://<host>:<port> (No auth proxy) 
proxy://<user>:<password>@<host>:<port> (Auth proxy) 


proxy://<domain\user>:<password>@<host>:<port> (Auth proxy with domain 
user) 


Create Qualys Virtual Scanner Appliance 


Project details 
Select the subscription to manage deployed resources and costs. Use resource groups like folders to organize and 
manage all your resources. 


Subscription * © 


Resource group * C Qualys-Virtual-Scanners 
Create new 


Instance details 


Region * (US) East US 


Scanner vm name * © 


Personalization code 


Please provide personalization code for scanner. 
Learn more 


Perscode * © 


Proxy configuration 


Provide optional proxy configuration in one of the following formats- 
proxy//<host>:<port> (No auth proxy) 

proxy://<user>:<password> @<host>:<port> (Auth proxy) 
proxy-//<domain\user>:<password> @<host>:<port> (Auth proxy with domain user) 


Previou Next : Disks+Monitoring > 
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Make your selection to use premium disk and/or Boot diagnostics and then click Next: 
Networking: 


Note: Enable boot diagnostics to troubleshoot issues with your scanner. Diagnostics will 
include log output from the scanner. To learn more about Boot diagnostics, visit Azure at: 
https://docs.microsoft.com/en-us/azure/virtual-machines/troubleshooting/boot- 
diagnostics. 


Basics | Disks+Monitoring | Networking Review + create 
Disk options 


a 


o Premium Disk is recommended due to their production performance but only available with selected VM sizes. 


Use premium disk? * © 


Monitoring 


o Boot diagnostics helps in troubleshooting issues. 


Boot diagnostics * © 


Diagnostics storage account * © | (configure required settings) 
Create New 


Make your network selections and click Review + create. 


To learn more about Networking, visit Azure documentation, 
https://docs.microsoft.com/en-us/azure/networking/. 


Basics Disks+Monitoring Networking Review + create 


Virtual network 


Configure virtual networks 


Virtual network * © (new) qualys-scanner-VNet-752 
Create new 


Subnet * © (new) scanner-subnet (10.1.30.0/24) 


Require public IP ? 


Public IP * © 


Create new 


Deployment will create a DEFAULT security group. 
Direction: Inbound, Source: Any, Access: Deny, Priority:1001 
Direction: Outbound, Destination: Any, Access: Allow, Priority:1002 


If validation passes, click Create button. If validation fails, please correct the fields that 
are displayed in red. 
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Once Azure completes the deployment, click Go to Resource to access the scanner 
deployment in your resource group: 


DI Delete (Ty Redeploy O Refresh 


© Your deployment is complete 
© Deployment name: qualysguard.qualys-virtual-scanner Start time: 5/4/2020, 2:33:10 PM 
Subscription: Correlation ID: 


Resource group: 


v Deployment details (Download) 


A^ Next steps 


Go to resource 


Your scanner will update and connect to the Qualys Cloud Platform. This process may 
take some time, depending on location. Once connected, you'll be able to use your Azure 
scanner from the Qualys Cloud Platform as you would any virtual scanner appliance. 


Scanner Configuration in Azure using Resource Manager Templates 


Here we'll tell you how to use Azure CLI with Resource Manager templates to deploy a 
Qualys Scanner in Azure. 


- Your template can be a local file or an external file which is available through a URI. 


Deploy Your Qualys Scanner from Azure CLI 


To deploy from marketplace, download the Qualys Scanner Marketplace template and use 
the parameter file - deploy_from_global_marketplace_image.json. 


Edit the deploy_from_global marketplace_image.json file and set all needed parameters 
according to your own Azure environment. Then run the following Azure CLI command to 
deploy your Qualys Virtual Scanner: 


az deployment group create --debug --verbose --template-fil 
azure deploy.json --resource-group resource-group-name -- 
parameters path_to json parameter file 

Deployment requires the following parameters: 

- perscode: Enter the 14-digit personalization code obtained from Qualys Cloud Platform. 


- bootDiagStorageAccNameOrUri: Enter the storage account name to enable Boot 
Diagnostics. 


- proxy: Optional proxy configuration in one of the following formats: 


proxy://<host>:<port> (No auth proxy) 
proxy://<user>:<password>@<host>:<port> (Auth proxy) 
proxy://<domain\user>:<password>@<host>:<port> (Auth proxy with domain 
user) 
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- scannerVmSize — Select any size up to 16 cores and 16 GB RAM. 


To learn more about Azure templates, please visit Microsoft Documentation on Azure 
Resource Manager Templates. 


How do | know my scanner is ready to use? 


Check your virtual scanner status in the Qualys UI. Go to Scans > Appliances and find 
your scanner in the list. 


Note: It can take several minutes for the Qualys user interface to get updated after you 
add a new appliance. Please refresh your browser periodically to ensure that you are 
seeing the most up to date details. 


Dashboard Scans Reports Remediation Assets KnowledgeBase Users 


(3) Scans Scans Maps Schedules Appliances Option Profiles Authentication Search Lists Setup 


New w ` Sean ` p =] = 
Network Appliance Personalization Code LANIP WANIP LAN IPv6 Polling Scanner Signatures Last Update - 
” Global Default qualys-scanner o — 180 seconds 


Network 


= 


The # icon tells you your virtual scanner is ready. Now you can start internal scans! 


The icon indicates the busy icon, which is greyed out until a scan is launched on the 
scanner 


Updating proxy settings upon deployment 


User can update their scanner with new proxy settings or disable the proxy upon 
deployment. To do so, locate your scanner virtual machine and click Reset password. 


To update with new proxy settings, enter the new proxy configuration value in ‘Password’ 
and ‘Confirm Password’ fields and click Update button. 


Note: Password fields should be prefixed with proxy: / / . This is because Azure cloud does 
not have mutable user metadata and the scanner interprets password value as an SSL 
proxy URL token, prefixed with proxy: //. 


Username: u<Perscode>, e.g. U99999999999999 


Password: proxy://<new proxy value> 
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Confirm Password: proxy://<new proxy value> 


? qualys-scanner | Reset password 


Virtual machine 
> Search (Cmd+/) é Update X Discard 
Le Policies 


© Run command | Mode © 


( ©) Reset password 


This uses the VMAccessForLinux extension to reset the credentials o! 


Monitoring | (O Reset SSH public key 
€ Insights (_) Reset configuration only 
EE Alerts | Username * 
fal Metrics | 
i 5 | Password * 
& Diagnostic settings H 


® Advisor recommendations 
2 Logs 


EZ Connection monitor 


Support + troubleshooting 


© Resource health 


D Boot diagnostics 
“A Performance diagnostics (Pr... 


` Reset password 
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To disable proxy, click Reset password, enter the exact value, “RemOve_PrOxy”’, for 
Password and Confirm Password fields and click Update button. 


How to troubleshoot issues with the scanner 


If boot diagnostics was not enabled during scanner deployment and you would like to 
troubleshoot issues with your scanner, you can still enable Boot diagnostics. Diagnostics 
will include log output from the scanner. From the virtual machine details, click Boot 


Boot diagnostics 


qualys-scanner 


Save x Discard 


Status 


O off (e) On 


Diagnostics storage account * 


qualysvirtualscanners Vv 


Create new 


Click Boot diagnostics to view the serial log. 
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Boot diagnostics 


O Refresh ¿63 Settings 


Screenshot Serial log 


Updated: Monday, May 4, 2020, 9:54:41 PM UTC Download serial log 


BIOS-e820: 000000000B0IFCOO - 00000000000a0000 (reserved) 
BIOS-e820: 02000000000e0000 — 0000000000100000 (reserved) 
BIOS-e820: 0000000000100000 — 800000003fff0000 (usable) 
BIOS-e820: 000000003FFF0000 — VLVVADAO3FFFFOOO (ACPI data) 
BIOS-e820: 80080003 TTFfOGe — G800008040000000 (ACPI NVS) 
BIOS-e820: 0000000100000000 - 00000004c0000000 (usable) 
bootconsole [earlysere] enabled 
GRunning on hyperv [Microsoft Corporation|Virtual Machine|7.0|0000-0006-9405-5679-7884-5158-31] 
MemTotal: 16383 MB, cpuinfo: Intel(R) Xeon(R) Platinum 8168 CPU @ 2.70GHz, 8 processor[s], 4 core[s], 1 socket 
[s] 
Hyper-V Host Build:14393-10.0-0-0.305; Vmbus version:4.0 
Hyper-V vmbus-00000000-0000-8899-0000-0080000000000, driver:hv_storvsc, insmod:hv_storvsc 
Hyper-V vmbus-00900000-0001-8899-0000-000000000000, driver: hv_storvsc 
Hyper-V vmbus-000d3a31a-993b-000d-3a1a-993b000d3a1a, driver:hv_netvsc, insmod:hv_netvsc 
Hyper-V vmbus-242ff919-07db-4180-9c2e-b86cb68c8c55, driver:hv_utils, insmod:hv_utils 
Hyper-V vmbus-2450ee40-33bf-4fbd-892e-9fb06e9214cf, driver:hv_utils 
Hyper-V vmbus-2dd1ce17-079e-4083c-b352-a1921ee207ee, driver:hv_utils 
Hyper-V vmbus—b6650ff7-33bc-4840-8048-e0676786f393, driver:hv_utils 
Hyper-V vmbus-f8b3781a-1e82-4818-a1lc3-63d806ec15bb, driver:hv_storvsc 
Hyper-V vmbus—-f8b3781b-1e82-4818-a1c3-63d806ec15bb, driver:hv_storvsc 
Hyper-V vmbus-fd149e91-82e0-4a7d-afa6-2a4166cbd7c0, driver:hv_utils 
Mass storage at pci:0000:00:07.1:0180, V:D=0x8086:0x7111, driver:ata_piix, insmod:ata_piix 
Waiting for SCSI bus to stabilize... 1 sec, 3 host(s) 
scsi [Virtual Disk ], driver:sd_mod, insmod:crc-t10dif sd_mod 
scsi [Virtual Disk 1, driver:sd_mod 
Reading all physical volumes. This may take a while... 
Found volume group "vgqualys0" using metadata type lvm2 
0 logical volume(s) in volume group "vgqualys0" now active 


For any errors or troubleshooting tips, visit Scanner Troubleshooting FAQs. 
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Deploying Scanners in Private Cloud Platform 


This section helps you to deploy Qualys scanner in private cloud platform using following 
methods: 


- CLI 
- Azure GUI 


Deploying Qualys Scanners (using CLI) 


This section describes how to deploy Qualys Virtual Scanner Appliances using the Azure 
CLI. Once deployed, the scanner functions as a standard Virtual Scanner and can scan 
based on IP address or CIDR block. 


Want to learn more about Microsoft Azure? Check out the Azure Support page. 
Quick Steps 

Creating Resource Group 

Creating Storage Account 

Creating Storage Container 

Creating Virtual Network 


Copying Qualys image into your Storage Account 


Creating Deployment templates 


Deploying Qualys Scanner via CLI 


Creating Resource Group 


We recommend you to create one resource group per location for your Qualys virtual 
scanners. Give your resource group a name that is easy to recognize and represents the 
group location and tell us where the group is created. Once created, the name cannot be 
changed. 


az CLI 


Example: az group create --name resource-group-qualys-scanner --location 
centralus 

where name is the resource group name, and location is the location where we create the 
group 


Help: -h, --help for output usage information 


Creating Storage Account 
We recommend you create at least one storage account for your Qualys virtual scanners. 


az CLI 


Example: az storage account create --name storagequalys --resource-group 
resource-group-qualys-scanner --sku Standard LRS --kind Storage -- 
location centralus 
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where name is the storage account name, resource-group is the resource group name, sku is 
the SKU name (Premium_LRS, Standard_GRS, Standard_LRS, Standard_RAGRS, 
Standard_ZRS), kind is the account kind (BlobStorage, Storage, StorageV2), location is the 
location 


Help: -h, --help for output usage information 
Creating Storage Container 
You need to create a container in your storage account where qvsa images are stored. 


az CLI 


Example: az storage container create --name images --account-name 
storagequalys  --account-key 
"AbcdefDKBFEHMKxeelzL4fsxINIm7gPrG+dVoirJFuCVEknw9TbCXVEUDxs10eg+heAcosc 
/SiCUhAzwNOuyt2w==" 


where name is the storage container name, account-name is the storage account name, 
account-key is the storage account key 


Help: -h, --help for output usage information 


Creating Virtual Network 


You may already have a virtual network set up for your Qualys virtual scanners. If not, 
create a new virtual network with 10.0.0.0/24 subnet. 


az CLI 
Example: az network vnet create --name qualys-scanner-vnet --address- 
prefixes "10.0.0.0/24" --resource-group resource-group-qualys-scanner -- 


location centralus 


where name is the name of the virtual network, address-prefixes is a comma separated list of 
address prefixes for this virtual network, resource-group is the name of the resource group, 
location is the location 


Help: -h, --help for output usage information 


Copying Qualys image into your Storage Account 


Now you need to copy Qualys qVSA image to your storage account. The qVSA image link is 
provided to you by Qualys Operations. 


az CLI 


Example: az storage blob copy start --source-uri 

"https: //images.blob.core.windows.net/images/qVSA-Azure.X.X.XX- 
x.vhd?sr=bé&sp=r&sv=YYYY-MM-DDé&st=YYYY-MM- 

DDT18%3A48%33A3 9Z&sig=KC8UdRkX8XsdvGZefy5H8ulPVcdecqzWr6fiMzEMdY 8%3D&se=Y 
YYY-MM-DDT18%3A48%3A39Z" --account-name scanneraccount --account-key 
"Abcdefghijk1/XabePHYIyXX2qcH0/mvghcZyvFolmSos2z87IhXU1HRSsO2k+awzUZePSq 
T3AbpOEXAmP1E==" --destination-blob qVSA-Azure.X.X.XX-x.vhd.vhd -- 
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destination-container scanner-images 


where source-uri is the qVSA image link provided by Qualys Operations, account-name is the 
storage account name, account-key is the storage account key, destination-blob is the blob 
name, destination-container is the destination storage container name 


Help: -h, --help for output usage information 


Creating Deployment templates 


To deploy Qualys scanner from the command line you need to create deployment 
templates. 


Download custom Qualys Scanner template and parameter files and adjust them to your 
Azure Cloud environment. 


To use the CLI in interactive mode, run: 


az deployment group create --debug --verbose --template-fil 
azure deploy.json --resource-group <your resource group> 


If your scanner requires proxy configuration, use a parameter file to supply the proxy 
configuration. 


Example: 
az deployment group create --debug --verbose --template-fil 
azure deploy.json --resource-group resource-group-name --parameters 


path to json parameter file 


Deployment requires the following parameters: 
- persCode - Enter the 14-digit personalization code obtained from Qualys Cloud Platform. 


- ImageResourceldOrVhdUri - enter the resource id or vhd uri of the scanner image you 
copied into your Storage account in the previous step 


- bootDiagStorageAccNameOrUri - enter the storage account name to enable Boot 
Diagnostics 


proxy — Optional proxy configuration in one of the following formats: 
proxy://<host>:<port> (No auth proxy) 
proxy: //<user>:<password>f<host>:<port> (Auth proxy) 


proxy://<domain\user>:<password>@<host>:<port> (Auth proxy with domain 
user) 


- scannerVmSize — select any size up to 16 cores and 16 GB RAM 


To learn more about Azure templates, visit: Microsoft Documentation on Azure Resource 
Manager Templates 
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Deploying Qualys Scanner via CLI 


Prior to deploying the Qualys Virtual Scanner in Azure, be sure to have generated a 
personalization code from the Qualys Cloud Platform and customizing the deployment 
template as in the previous step. The personalization code should already be recorded in 
your parameters file under the parameter, perscode. 


az CLI 
Example: az deployment group create --resource-group <your resource 
group> --template-file azure deploy.json --parameters <path to json 


parameter file> 


where resource-group is the name of the resource group, name is the name of the 
deployment, template-file is the path to the template file in the file system, parameters is a file 
containing parameters 


Help: -h, --help for output usage information 


Using Azure GUI to Create Qualys Image and Deploy Scanner 


Alternatively, user can also use the Azure GUI to create the Qualys image from a VHD file 
and deploy the Qualys Virtual Scanner Appliance. 


Note: The Qualys qVSA image vhd file should have already been uploaded to your storage 
container in order to create an image, see Copying Qualys image into your Storage 
Account for details. 


From the Microsoft Azure Dashboard, choose Images — Add to create image. 
Fill in all the required information for your new image: 

- Name - give a distinct name for your scanner image 

- Subscription 

- Resource Group 

- Location 

- OS Type - select Linux 

- VM Generation - select Gen 1 


- Storage Blob — choose the location of the ‘.vhd’ file that is already copied into your 
Storage account 


- Storage Type - select Standard HDD 
- Host caching - select Read/Write 
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Create image 


qVSA-Azure-X.X.XX-x Y 


Subscription * 


Scanner 7v 


Resource group * 


Scanner-RG v 
Create new 
Location * 

(US) East US v 


Zone resiliency © 


n SC 


OS disk 
OS type* © 


Windows 


VM generation * © 


Gen 2 


Storage blob * 
https://images.blob.core.windows.net/qvsa-images/qVSA-Azure.X.X.XX-x.vhd v| 


Storage type* © 
Standard HDD Vv 


Host caching * © 


Read/write Vv 


Data disks 


+ Add data disk 


To deploy the Qualys Virtual Scanner Appliance using the image created in the previous 
step, select the scanner image and click Create VM: 


= 
` ga avsa ax 


+ Create VM [i] Delete 


NAME 


OS type Source blob URI Storage type Caching 


E tods 


Linux Pech blob core windows net/qvsa-images/qVSA- D] standard HDD Read/write 
El Export template 

DATA DISKS. 
Support + troubleshooting This image doesn't contain any data disks. 


2 New support request RESOURCE GROUP 


Scanner-RG 


LOCATION 
East US 


ZONE RESILIENCY 
Disabled 


‘SUBSCRIPTION 


resourceGroups/Scanner-RG/providers/Microsoft Compute/images/avsA I SI 
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| Create a virtual machine — 


Project details 


Select the subscription to manage deployed resources and costs. Use resource groups like folders to organize and manage all 
your resources. 


Subscription © Scanner 
Resource group * © Scanner-RG Vv 
Create new 


Instance details 


Virtual machine name * © qualys-scanner Y 
Region © (US) East US 
Availability options © No infrastructure redundancy required v 
Image * © qvSA Vv 
Browse all public and private images 

Azure Spot instance © O Yes © No 
Size* © Standard B2ms 

2 vepus, 8 GiB memory ($60.74/month) 

Change size 


Administrator account 


Authentication type © O SSH public key © Password 

Username * © us Y 

Password ef s 

Confirm password * © Medie v | 


< Previous Next : Disks > | 


Since Qualys Virtual Scanner is a locked-down Linux appliance and managed completely 
from the Qualys Cloud Platform, Azure username, password and SSH public key are not 
used for any kind of authentication but rather as a mechanism to pass proxy 
configuration information from Azure Cloud to the appliance. 


Passwords that look like “proxy://<user>:<password>@<host>:<port>” URLs can be used to 
configure the Qualys Virtual Scanner to use SSL proxy for all outbound communication 
with the Qualys Cloud Platform. 


Valid proxy configuration formats: 
proxy://<host>:<port> (No auth proxy) 
proxy://<user>:<password>@<host>:<port> (Auth proxy) 


proxy://<domain\user>:<password>@<host>:<port> (Auth proxy with domain 
user) 
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Deploying Qualys Cloud Agent 


This section helps you to deploy Qualys cloud agent using different methods. 


Deploy Qualys Cloud Agent from Azure Security Center 


This section describes how to install Qualys Cloud Agents (Windows and Linux) for Azure 
virtual machines from the Azure Security Center console and view vulnerability 
assessment findings within Azure Security Center and your Qualys subscription. 


Azure Security Center provides a unified security management and monitoring console 
for Azure infrastructure. Qualys is integrated into the Azure security center's partner 
solutions for Vulnerability assessment. The security center detects the virtual machines 
without the solution and automates the deployment of the lightweight Qualys cloud 
agents on them. The agents gather vulnerability data and send it to the Qualys Cloud 
Platform, which in turn, provides vulnerability and health monitoring data back to Azure 
Security Center. 


Using our revolutionary Qualys Cloud Agent platform you can deploy lightweight cloud 
agents to continuously assess your infrastructure for security and compliance. 


For more information, you could refer to our community article. We also recommend the 
following resources: 

Qualys Cloud Platform 

Qualys Cloud Agent Getting Started Guide 


Quick Steps 

Create Asset Tag in AssetView (Optional) 
Create Activation Key in Cloud Agent 
Deploy Cloud Agents in Azure 


Create Asset Tag in AssetView (Optional) 


Asset tags provide the ability to uniquely list out assets. As a best practice, we recommend 
you create a tag called “Azure” that you'll use to easily distinguish the assets in the Azure 
cloud from the rest. You'll associate the tag with the activation key in the next step. 


Choose AssetView from the module picker, then go to Assets > Tags and click New Tag. 


AssetView {v 


Dashboard Assets Templates Connectors 


— 
tm AssetView Assets Tags Connectors 
Search Results 
Search 
om 
fl 


Quick Filters Asset Search Tags 
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In the Tag Creation wizard, give your tag aname, and choose No Dynamic Rule under Tag 
Rule (required when adding tags to keys). Click Finish when you're done. 


Create Activation Key in Cloud Agent 


Now we'll describe how to create an activation key. At the end of this step you'll have the 
license code and public key needed to deploy agents in Azure. We recommend you handle 
the Azure cloud deployments via a designated activation key. Additionally, manage your 
departments with separate activation keys. 


Choose Cloud Agent from the module picker, then go to Agent Management > Agents and 
click Install New Agent. 


Cloud Agent {v 


Dashboard Agent Management 


& Agent Management Agents Activation Keys Configuration Profiles 


Saved Searches y 


Search.. 


v| | Install New Agent | J Activation Jobs 


Give the key a unique name (example: AzureAgentsActivationKey) and select VM and/or 
PC modules, depending on your licenses. We encourage you to have both solutions to 
secure your assets in Azure completely. 


New Activation Key Tum help tips: On | OM % 


Create a new activation key 


An activation key is used to install agents. This provides a way to group agents and better manage your account. By default 
this key is unlimited - it allows you to add any number of agents at any time 


Title Azure Activation 
Select | Create 


(no tags selected) 


Provision Key for these applications 


Vulnerability Management Policy Compliance 
e 100 Licenses Remaining e MAS 100 Licenses Remaining 


Set limits 


See Unlimited Key | Generate 
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Did you create an asset tag for Azure? Select the tag at this time. Then click Generate. 


New Activation Key Tum help tips: On|O X% 


Create a new activation key 


An activation key is used to install agents. This provides a way to group agents and better manage your account. By default 
this key is unlimited - it allows you to add any number of agents at any time. 


Add Tags to include 
Title example: My New Title 


Select | Create 


Business Units 
F Cloud Agent 


> ff Demo tag 
> [Mare namain Assets 
d 


Provision Key for these applications 


= VM Vulnerability Management = PC Policy Compliance 
ke 100 Licenses Remaining 8 100 Licenses Remain 


META File integrity Monitoring 
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As part of this integrated deployment, the Azure agent is currently supported for Windows 


and Linux. (Linux agent support is recently added). 


New Activation Key Tum help tips: On | Off 


New activation key generated successfully 


Give your key a name and add tags to easily find agents installed using this key. We'll associate the tags to the agent 
hosts. 


Activation Key d1b0760a-8c22-4f06-a004-563e5d5acfbf o 


Key Type Unlimited key 


Installation Requirements 


ME Windows Windows Client Versions 
BE (exe) Windows Server Versions Jostall instructions. 


Red Hat Enterprise Linux 
CentOS 


i Fedora i 

A Wem OpenSUSE Install instructions 
SUSE 
Amazon Linux 
Oracle Enterprise Linux 


Linux Debian Ser EER | 
(deb) Ubuntu [install instructions | 


AIX IBM AIX Keel 
(rpm) Install instructions 


© | Mac OS X ——_—— 
es (-pkg) Install instructions 


Lookina for more details 2 


ebe) 


x 


New Activation Key Tum help tips: On | Off 
You are ready to install the agent. 


Current agent version: 2.0.5.2 
Hash-SHA-256 : fcef09d74230c0930e8ea5024d82d8709fa93723bb69b824fdfb6b1e6e911433 


O Deploying in Azure Cloud 


Microsoft Azure Installation Requirements 


e Active Azure Cloud Service account 


Steps to Install the Azure Agent 


Qualys agent deployment is integrated into Azure Security Center's partner solutions for vulnerability assessment, 
follow the tips below to get started: 


1. Log into your Azure portal > Security Center 
2. Select the Qualys solution, then copy and paste the activate code and licence key below into the install screen. 


The fields below match fields in the Azure UI. 
License code 


eyJjaWQiOil2NGI2MGJmYitmNWViLWMONjQtODBjOCOWYmYyYjcxYTAwYTUILC 
JhaWQiOUKMWIwNzYwYS04YzlyLTRmMDYtYTAwNCO1NjNINWQ1YWNmYmYiL 
CIwd3NVcmwi0iJodHRwczovL3FhZ3B1YmxpYy5wMDQuZW5nLnNgYzAxLnF1Y 
Wx5cy5jb20vQ2xvdWRBZ2VudC8iLCIwd3NQb3J0IjoiNDQZINO0= 


Public key 


-----BEGIN RSA PUBLIC KEY----- 
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x 


ce 


Click the Install Instructions 
button for Windows or Linux. 


Choose “Deploying in Azure 
Cloud” and retrieve the keys 
from the page. 


Copy the License Code and 
Public Key. You'll need these in 
the next step when you deploy 
cloud agents in Azure. 
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Deploy Cloud Agents in Azure 


There are two offerings available for Azure Security Center integrations and each will be 
covered below: 


- Vulnerability Assessment with Qualys Cloud Agent (QCA) (Bring Your Own License 
(BYOL)) 


- Azure Security Center Embedded Vulnerability Assessment Powered by Qualys 
Vulnerability Assessment with Qualys Cloud Agent 


Vulnerability Assessment with Qualys Cloud Agent (QCA) (Bring Your Own License (BYOL)) 
provides a way to deploy QCA via Azure Security Center (ASC). It also provides Auto- 
deploy of agents on all discovered unprotected VMs in your subscription. This offering is 
available with both the free and standard tiers of ASC. For more information, click here. 


1) Login into the Microsoft Azure portal and navigate to “Security Center”. Azure Security 
Center integrates with Azure services to monitor and protect your Windows and Linux 
virtual machines. 


o Security Center | Overview 
General 
e Lë Ey 9 -- 
SES Azure wubscriptom Au tree recommendations Security aborts 
D 
Insights 
© Segen O secure score $ 
Most prevalent recommendations (try 
om Current secure score 
= 

© Conmmaty H i 

= o ` , ch 
Cloud Security , 32 

o 
O saco 36s q ono D a z ch 
O Säin eener? OH ts sh 3 
O aneo Controh with the highest potental increase 
Management 217% 
m ng & ve +12% 
*o% 

a O Azure Defender 
a Resource conerage 


2) Go to Security Center dashboard, click “Recommendations”, then click “Remediate 
Vulnerabilities” to expand the list of options. 


SN J Search resources, tandems and docs Gett & 9 


y= Security Center | Recommendations 


Wee D 36% = uN 
Recommendaborn o 1 of 58 pointi 136 oy 


Cloud Security Secure score Power B3 Toot 


Sie ard a Él AAA AA 5 


© = the Secure Score experience clear to you? ses 
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3) Select “Vulnerability assessment solution should be enabled on your virtual machines” 
option. 


Control. 


) inabile MA. Or? 


` Secure management ports + 10% (6 points na 
© Community ` Remediste waren sities + 7% (4 pones Wot 
Azure Defender for SOL should be enabled on your SOL servers @ Campletnd 

Web sneument Ai be enabled on your SR servens @ Corinei 

Apure Defender for SOK should be enabled on your managed instances (IIE 
Vulnerability zemren thould be enabled on your SOL managed mtarces SEH 
Waler E menmen feina on you SOL databases should be remates 


A vdinerability menment schstion whould be enabled on your virtual macnn SCH 


Vulnerables © your wetual machines shoud be remediate 


Vulnerabilities in Azure Container Resprtry images thowld be remediisted (powered by Qualys) 


Aure Policy Add en for Kubeenetes should be instilled and enabled on your hater MEE Anes 


¿sorusooon; 


> Enable encrypsion at rest + T% (4 pons 


The Azure VM resources are displayed. 


- Within Affected resources, there are 3 options: Unhealthy resources, Healthy resources 
and Not applicable resources Azure VM resources. 


- Within Affected resources, there are 3 options: Unhealthy resources, Healthy resources 
and Not applicable resources. 


The Unhealthy resources column lists all the VM resources, without Qualys cloud agent. 


4) Select the check box to select all the VM resources and click Remediate to proceed. 


e ty 
A vulnerability assessment solution should be enabled on your virtual machines 
Seven ty nen interval 
[mn T) 24 Hours 
Remediation steps 
Affected resources 
Unhealtiyy resources (12) Healthy resources (10) Not appheable resources (1% 
(5) Name "A Subscription 
T LEE Gage Seiten decies 
DA suo anresguss Quen Sortera Arte 
O BR ap aruncactast Quen Zeen irois 
EB sunasmssauzo Quays See Aren 
KN 
Was this recommendation useful? O Y O Ne 
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5) Choose a vulnerability assessment solution. 


INN © Seach recurces senio and docs (G+/) 


A Vulnerability assessment solution should be enabled on your virtual machines 


The following 3 options are provided: 


Recommended: Deploy ASC integrated vulnerability scanner powered by Qualys (included 
in Azure Defender for servers): This option is intended for non-Qualys customers that 
want to leverage the Qualys Vulnerability Assessment via Azure Defender included in the 
ASC Standard Pricing Tier. If you are on the ASC FREE TIER, then this option is disabled. 
Qualys customers should not choose this option if they want their assessment findings in 
both ASC and in their Qualys subscription. It is recommended that Qualys customers 
choose the BYOL solutions. For more details on this solution, click here. 


Deploy your configured third-party vulnerability scanner (BYOL - requires a separate 
license): Choose this option if you already have an existing solution from Qualys. 


Configure a new third-party vulnerability scanner (BYOL - requires a separate license): 
Choose this option if you want to create a new solution. 
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6) Select Qualys extension to configure and click Proceed. 


Microsoft Azure D Search resources, services, and docs (G+/) S 

Home > Security Center > A vulnerability assessment solution should be enabled on your virtual machines > A Vulnerability assessment solution should be enabled on your virtual machines 
Configure Qualys, Inc. vulnerability management solution x 
Sign up for the solution 
Name * 

QualysVa1 
Resource group * 

z 

Create new 
Location * 

East US Ke 
License code* © 
Public key * © 
Auto deploy © 
Co ep 
Please note, when creating the VA management, VA agents will be installed on your virtual machines. 


Provide the required details. 
Name - name for the solution. 


Subscription — displays subscription of the solution. If multiple subscriptions are selected, 
then it will provide drop down menu to select the subscription. 


Resource group — Select the required resource group 

Location — Select Location 

License code — Specify license code retrieved from Qualys subscription. 
Public key — Specify public key retrieved from Qualys subscription. 


Auto deploy — Automatically installs Qualys cloud agent on Azure resources in the 
subscription. 


Note: For subsequent deployments, choose the solution you just created from the ‘Existing 
Solution’ list. The inputs are saved, so you don't need to retrieve the code and key from 
your Qualys subscription again. 
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7) Navigate to Security solutions to view all of the configured security solutions from 
Qualys and click VIEW on the solution to view the VM resources associated with it. 


Microsoft Azure P Seach resources, services and docs Defi o 


Hi Security Center | Security solutions 2 H 
Search wie Y fe 


WV Connected solutions (3) 


View all security soksbons Currently connected to Azure Secunty Center, montar the health of solutons, and access the solvhons management toots for advanced 


g configuration 
© AJM-USO2 @ Qualysvat © Quatysuso2 
awan pe oun ge werk ze 
oe" nny mr Woren gët Aerer? aper gr Assesse 
Cloned Senn 
O Geceg Score A Stopped reporting A Stopped reporting O vest 


O Requstory comphance 


w DEEN = = RE 


Marsgemert 
I Pricing & settings \ Add data sources (3) 


Correct your security solution to Anae Security Conto 


D Security pole 


Wh Secarty solutions H 
| ` Azure Application 
i E Non-Azure servers D se. y pm 


D Workflow autcenatien 


sacaosort suo pn macacos 
"È Cover 
Onbowrd your non-Azure computers t kret ge Azure Security Center alerts Deploy Arure’s WAF to protect your 
@ Elon sreemenrares reste Ate Sanity Conte ancl Aen pen into SEM for 2 central Montoro See web Stee tor n wears 
Ft portal arre con Nore quickstart = tutis Micah Agro Scarface ne it cf sported SEMS WAF's securty alerts 


Microsoft Azure P Seach resources, services, and doci Wei? 


curt 


QualysUS02 


T Sot mache LD Link VM Ñ Delete solution E) Contgque 


Partner soiton rave Qualys for Azure 
Vulherabéity Assessment 
Semi automatcally provisioned 


O eattry 


Note Agent status may Mave up to 8 hours delay 


EC 


ER 
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9) Click View findings. All the vulnerability findings from Qualys assc 


Microsoft: Anure 


t 


TEST-INSTANCE 


EH ue 


Virtual machene info 


vw 


Vertaal matene 


TEST-INSTANCE 


Resource group 


IBERIA-LAB 


Subecipticn 


Qualys Solutiors Architects 


P Search resources, services, and docs (G+/) 


All the vulnerability findings from Qualys associated with that VM resource are displayed. 


10) Click any of the finding to view detailed description, information, impact, threat and 


remediation. 


Microsoft Azure 


TEST-INSTANCE 


Resource Total y 


P TEST-INSTANCE 8 


siner atsiras Vubreratlies by seventy 
High ee 
Medbum a 

low — 
Security Check Categor 
Mecca Wadon Herne! Privilege Escalation vui Securty 
Bult on Guewt Account Not Beer at Windows Securty 


SMB Sqreng Disabled or SMB Sun Not Required Securty 


Wow NE Seon Security 
tratied Cached Logon Credential Securty 
Windows Explorer Autoplay Not Disabled for Dela. Security 


MEOR Window Lepiorer Auto) 


Wodows Beat Sereng To Ciobaty Nevent 


105228-Built-in Guest Account Not Rename... x 


A 
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Description 


Ban en Guest Account Not Renamed at Windows target System 


General information 


not renamed at the target Macrosoft Windows system 


Rename the Guest account 
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Retrieve the License Code and Public Key from your Qualys Subscription 


1) Login to your Qualys subscription. Navigate to the “Cloud Agent” application from the 
menu, then select “Activation Keys”. 


© Qualys. Enterprise 


Cloud Agent {v e Help ~ Alex Mandernack w Log out 


Dashboard Agent Management 


& Agent Management Agents Activation Keys Configuration Profiles 


Status Active v Enabled Yes + 


| Now Key 46 activation keys Ñ} v 
E Activation Key Agents Created Created by Expires Modules 
e AJM_ASC 3 February 20, 2019 Alex Mandernack never EH Ea tt 


unlimited key 


2) Click “New Key” and generate a new activation key. We recommend you handle the 
Azure cloud deployments via a separate Activation Key. Additionally, manage your 
departments with separate activation keys. Specify a name to identify it uniquely 
(example: Azure Security Center Key) and select Vulnerability Management and/or Policy 
compliance modules depending on your licenses. We encourage you to have both the 
solutions to secure your assets in Azure completely. 


New Activation Key Tum help tips: On | Off  % 


Create a new activation key 


An activation key is used to install agents. This provides a way to group agents and better manage your account. By default 
this key is unlimited - it allows you to add any number of agents at any time. 


Title Azure Security Center Key 


Select | Create 


í Azure-Tag 


Provision Key for these applications 


Vulnerability Management Policy Compliance 
E VM A w PC A 
License limit not enforced. License limit not enforced. 


File Integrity Monitoring Indication of Compromise 
FIM a ) 10C 
License limit not enforced. License limit not enforced. 


Secure Config Assessment 
SCA 
License limit not enforced 


O Set limits 


a Unlimited Key | Generate } 
AA 
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3) Specify a name to identify it uniquely (example: Azure Security Center Key) and select 
Vulnerability Management and/or Policy compliance modules depending on your licenses. 
We encourage you to have both the solutions to secure your assets in Azure completely. 
Click Generate for new activation key. 


New Activation Key 


hosts. 


Activation Key 


Key Type 


Installation Requirements 


D Windows 
P (exe) 


Linux 
(rpm) 


> 


Linux 
(.deb) 


S 
É o 
v 


New activation key generated successfully 


Unlimited key 


Download 2.x binaries supporting FIM/IOC/PM 


Windows Client Versions 
Windows Server Versions 


Red Hat Enterprise Linux 
CentOS 

Fedora 

OpenSUSE 

SUSE 

Amazon Linux 

Oracle Enterprise Linux 


Debian 
Ubuntu 


OSX 


IBM AIX 


Tum help tips: O 


Give your key a name and add tags to easily find agents installed using this key. We'll associate the tags to the agent 


4) Currently, as a part of this integrated deployment is only available for Windows and 
Linux agents. (Linux agent support is newly added). Click ‘Install Instructions’ under 


Windows or Linux. Choose 'Deploying on Azure’ and retrieve the keys from the page. 
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5) Copy the License code and Public key and use it in during Deploying the agent. 


Install Agents 


You are ready to install the agent. 


Current agent version: 3.0.0.101 
Hash-SHA-256 : 1¢62590bc7dc12b7782695176ed42c0dfabe75cb0e987f1beb987a150f1253c6 


@ Deploying in Azure Cloud 


Microsoft Azure Installation Requirements 
+ Active Azure Cloud Service account 

Steps to Install the Azure Agent 
Qualys agent deployment is integrated into Azure Security Center's partner solutions for vulnerability assessment, 
follow the tips below to get started: 


1. Log into your Azure portal > Security Center 
2. Select the Qualys solution, then copy and paste the activate code and licence key below into the install screen. 


The fields below match fields in the Azure UI: 


License code 


Public key 


ec BEGIN RSA PURI IC KFY----- 


cose 


Azure Security Center Embedded Vulnerability Assessment Powered by Qualys 


Azure Security Center Embedded Vulnerability Assessment Powered by Qualys helps to 
quickly deploy a Vulnerability Assessment Solution powered by Qualys. No other 
configurations needed. This offering is available to all Azure customers that are 
subscribed to the Azure Security Center (ASC) standard pricing tier. 


This solution utilizes the Qualys Cloud Agent that will be deployed to your virtual 
machines in your Azure subscription. The Vulnerability Assessment findings will be 
populated into your ASC Dashboard under recommendations. 


1) Login into the Microsoft Azure portal and navigate to “Security Center”. Azure Security 
Center integrates with Azure services to monitor and protect your Windows and Linux 
virtual machines. 


2) Click “Recommendations”, then click “Enable the built-in vulnerability assessment 
solution on virtual machines (powered by Qualys)”. 
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Embedding Qualys Cloud Agent as a part of Golden Machine Image 


The Qualys Cloud Agent supports configuration and deployment into cloned images in 
cloud environments such as Microsoft Azure. For step-by-step procedure, kindly contact 
your TAM or Qualys Support for “Cloud Agent Technical White Paper”. 


Deploy Qualys Cloud Agent via Azure ARM Template 


This section helps you to deploy Qualys Cloud Agent using Azure Resource Manager (ARM) 
template. For more details on deploying Cloud Agent on Windows VM or Linux VM using 
Azure Portal, see Qualys Cloud Agent installation using Azure Resource Manager (ARM) 
template. 


Using Powershell 


= 


PS C:\ New-AzureRmResourceGroupDeployment -VMName VM NAME - 
ResourceGroupName RESOURCE GROUP NAME -Location VM LOCATION - 
TemplateFile TEMPLATE FILE PATH -TemplateParameterFil 
TEMPLATE PARAMETER FILE PATH 


where, 


TEMPLATE FILE PATH = the path of the template file 


TEMPLATE_PARAMETER_FILE_PATH = the path of parameter file for the template 


Input Parameters: utilize azuredeploy-parameters.json as an example to supply 
parameters field. 


- vmName: The name of the Virtual Machine where you want to install Qualys Cloud 
Agent 


- vmlocation: The location of the Virtual Machine 


- LicenseCode: The License Code from your Qualys Subscription 


Deploy Qualys Cloud Agent via Other Tool Sets 


Qualys Cloud Agent can be deployed via automation, orchestration or configuration 
management tools sets in your environment, for example, Ansible, Chef, and Puppet. 
Qualys provides a template for deploying Qulays Cloud Agent via Ansible. This can be 
used by customers to deploy and configure Qualys Cloud Agent in their Azure 
environment. 


Ansible 


D 


This section helps you to deploy Qualys Cloud Agent using Ansible-Playbook. 


nq 


The playbook InstallQCA.yml can be used to deploy Qualys Cloud Agent across the assets 
included in your “host” file. Additionally, you can use the tags to deploy Qualys Cloud 
Agent on your virtual machines. Refer Cloud Agent Ansible for github example. 


Se 


The required input parameters are: 
- private-key = private-key to access the virtual machines (Ansible works via SSH) 


- ssh_user = username to login into the instance 
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- URL = the URL where the file is hosted For example: Webserver, S3, Blob Storage, Cloud 
Storage 


- ActivationID = An ID that provides a way to group agents and bind them to your account 


- CustomerID = An ID to identify your account 


Azure Automation Cloud Agent 


ai 


This section help you to deploy Qualys Cloud Agent in Azure Virtual Machine (VM) using 
Azure Automation and Run command. 


= 


The powershell script “qcainstall.ps1” logs into the Azure subscription and locates all the 
Resource Groups in it. Crawling each Resource Groups, it locates VMs inside them. With 
the help of Azure Run command “Invoke-AzureRmVMRunCommand”, it downloads the 
script to install Qualys Cloud Agent based on Operating System (OS) of the VM. 


Pre-requisites: You should have an Azure automation account and an Automation 
connection asset named "AzureRunAsConnection" in that Azure automation account. 


Note: This script only works on powershell version 2 and above. It specifically not works 
for V5 core due to unavailability of Invoke-webrequest cmdlet. You can opt for the 
alternatives. 


Usage: 
1) Create variables named ContainerName, StorageAccountName, StorageAccountKey. 


| X testmikaa - Variables 


Automation Account 


U Refresh 


g + Add a variable 


O Search (Ctrl+/ 


arch variables. 
d Python 2 packages - 
NAME 


TYPE 


VALUE LAST MODIFIED 


% Credentials 

«>= Connections ContainerName String == 12/18/2018, 11:18 AM 
laz] Certificates StorageAccountKey Unknown (encrypted) iii 12/18/2018, 11:19 AM 
X Variables StorageAccountName String SES 12/18/2018, 11:18 AM 


2) Copy the executables files (Qualys Cloud Agent exe, rpm or deb files) and upload it to 
the Blob storage that is publicly accessible. 


| testmikconpub 


‘ontainer 


« 


Upload Ù Refresh ` H Delete 29 ele Ye Break le mn 1 [Bl create 


— 5 Location: testmikconpub 
3 Overview P 


at Access Control (IAM) Search blobs by prefix (case-sensitive, Show deleted bl 


Settings 
NAME 


% Access policy 


MODIFIED 


ACCESS TIER 


BLOB TYPE 


SIZE 


LEASE STATE 


|=) qualys-cloud-agent.x86_64 qg2.deb 12/18/2018, 1:32:34 PM ` Cool (Infe... Block blob 3.67 MiB Available 
‘It Properties 

E qualys-cloud-agent.x86_64_qg2.rpm 12/18/2018, 1:32:33 PM Cool (Infe... Block blob 3.65 MiB Available 
O Metadata 

E QualysCloudAgent.exe 12/18/2018, 1:32:34 PM Cool (Infe... Block blob 7.04 MiB Available 
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3) Repeat the steps 1 and 2 for scripts LinucQCA.sh and WindowsQCA.ps1 and store it in 
Blob storage referred by variables created in step 1 and let it be private. 


testmikcon 
Container 
p Kaerch (Ctrl+/) Ké T Upload (J) Refresh i Delete gët Acquire lease m snapshots [ Create snap 
Te Overview Location: testmikcon 
¿lá Access Control (IAM) Search blobs by prefix (case-sensitive) Show deleted bl 
Settings 

NAME MODIFIED ACCESSTIER BLOBTYPE SIZE LEASE STATE 
Access policy = 

=| LinuxQCA.sh 12/18/2018, 1:44:31 PM Cool (Infe... Block blob 2.09 KiB Available 
‘lt Properties 

=, WindowsQCA.ps1 12/18/2018, 10:22:16 AM Cool (Infe... Block blob 1.09 KiB Available 
@ Metadata 


4) Import the main script named qcainstall.ps1 into Azure automation runbook and edit 
the variables and Save and publish it. ActivationId, Customerld, url_rpm, url_deb. 


5 


Dashboard > testmikrg > testmikaa - 


E) 
Y 


p 


testmikaa - Runbooks 


Automation Account 


Search (Ctrl+/) 


Update management 


EA Update management 


Process Automation 
E Runbooks 


Jobs 
ER Runbooks gallery 
(2 Hybrid worker groups 


£ Watcher tasks 


) Start the Runbook. 


Runbooks 


& + Add a runbook ey Browse gallery [Z Learn more U Refresh 
> | / Search runbooks... 
NAME AUTHORING STATUS LAST MODIFIED 

Z  AzureAutomationTutorial Y Published 12/18/2018, 10:18 AM 
® =  AzureAutomationTutorialPython2 wW Published 12/18/2018, 10:18 AM 
2 AzureAutomationTutorialScript Y Published 12/18/2018, 10:18 AM 
& AzureClassicAutomationTutorial Y Published 12/18/2018, 10:18 AM 
2  AzureClassicAutomationTutorial... Y Published 12/18/2018, 10:18 AM 


0 PM 


V Published 


12/18/2018, 12:2 


qcainstall 


qcainstall 
Runbook 


2 


D 


Search (Ctrl+/) 


ey Overview 
RH Activity log 
4 Tags 


X Diagnose and solve problems 


a 


Runbook type Last modified 
Resources PowerShell Runbook 12/18/2018, 12:20 PM 
Jobs Tags (change) 

Click here to add tags 
CD Schedules A 


P start </> View y Edit O Schedule El Webhook DI Delete 5 Export U Refresh 


Start Runbook 


Are you sure that you want to start the runbook 'qcainstall'? 
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Scan Assets 


This section helps to understand the steps to scan your network. Before you initiate your 
scan, you must ensure few check points/pre-configurations. 


Azure Scan Checklist 

We recommend these steps before scanning. 

- Check Appliance Status 

- Configure OS Authentication 

- Configure security groups for the Azure virtual machines to be scanned 


Check Appliance Status 


Go to VM/VMDR > Scans > Appliances - Be sure the new Scanner Appliance is connected 
to the Qualys Cloud Platform. gs means your appliance is connected and ready for 
scanning. 


(9) Scans Scans Maps Schedules Appliances Re EE E ELE 
[New v search| | 1-27 of 27 p tv i=) 
Appliance ” ID LAN IP WAN IP Polling Scanner Signatures Last Update 
# "weart E 15465835141830 10.90.2100 —  18Dseconds 9.2331 2417-3 04/14/2017 at 05:10:08 (GMT+0530) =) A 
d CD vpcg0-sert 15491710005768 10.90.230 — 180 seconds 9.2331 24.17-3 04/14/2017 at 03:46:28 (GMT+0530) 3) 
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Configure OS Authentication 


Using host OS authentication (trusted scanning) allows our service to log in to each target 
system during scanning. Running authenticated scans gives you the most accurate results 
with fewer false positives. 


Go to Scans > Option Profiles. Edit the profile Initial Options, use Save As to save a copy 
with another name. In your new profile enable the authentication types you'll need. 


Authentication 


Authentication enables the scanner to log into hosts at scan time to extend detection capabilities. See the online help to learn 
how to configure this option 


Unix/Cisco 


|_| Oracle 


[7] Windows 
Y] 


Oracle Listener 
[_] snmp 

VMware 

DB2 

[_] HTTP 

[_] mysaL 


Go to Scans > Authentication. Add authentication records for the Azure virtual machines 
you'll be scanning - Unix and/or Windows. In the record you'll need to add credentials for 
the account to be used for authentication - this is an account for OS user (not the AIM 
user). We recommend you create a dedicated account for authentication on target 
systems. 
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Vulnerability Management v NA ÉJ] | Help + | sada-cus 
Dashboard ( windows Record... Remediation Assets KnowledgeBase Users 
Unix Record... 
ES Schedules Appliances Option Profiles Authentication 
Oracle Listener Record... È 
El Search SNMP Record... 
MS SQL Record... 
Overview Cisco Record... 
Credentials Breg PM DB2 Record... used 3 Passing 1 Failing 0 Problematic O In Vauit 0 
VMware Record... 
4 MySQL Record... 
Sybase Record... 
3 Checkpoint Firewall... 
2 PostgreSQL Record... 
HTTP Record... 
1 Application Records... > ECH 
0 SE 
Authentication Vaults A Windaws 
Download... | 
ct v New w 
Sample Unix Record 
1) Login Credentials - Provide OS user name and select Skip Password. 
Edit Unix Record Turn help tips: On | Off Launch Help 


Record Title ` Authentication 


Login Credentials > 


Private Keys / Certificates > 


account. 


Password: 
Policy Compliance Ports > 


IPs > Confirm Password*: 


Comments > 


Provide login credentials to use for authenticated scanning. You have the option to get the login password from a vault available in your 


Username": | ec2-user 
Root Delegation > Get password from vault 
Y] Skip Password 
Qualys Shell > 


2) Private Keys - Key authentication recommended. Select key type (RSA, DSA, ECDSA, 
ED25519) and enter your private key content. 
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Set private key / certificate for your Unix record 


Get private key from vault 
Private Key Type: RSA e 


Private Key Content: **4xXKE**EX Private Key Installed **********«xx 


3) IPs - Select Unix IP addresses/ranges of your Azure virtual machines for this record. 
Credentials in this record are used to scan these assets. 


Edit Unix Record 


Record Title IPs 

Login Credentials Add IPs to your Unix record 

Private Keys / Certificates > Enter or Select IPs/Ranges: 
10.97.15.117 

Root Delegation 

Qualys Shell 


Policy Compliance Ports 


IPs > 


Comments 


Display each IP/Range on new line 


Sample Windows Record 


1) Login Credentials - Provide OS user name and select Skip Password. 
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Edit Windows Record Launch Help 


Record Title Login Credentials 
ERC ? Windows Authentication 
IPs @ Local 
Comments © Domain 
Login 
Use the basic login credential or choose to use authentication vault for authenticated scanning 
@ Basic authentication O Authentication Vault 
User Name: * admin 
Password eeccccce 


Confirm Password. 


Choose Authentication Protocols 
We'll attempt authentication to target hosts using the authentication protocols you select below, in the order listed 


Y] NTLMv2 


NTLMv1 


2) IPs - Select Windows IP addresses/ranges of your Azure virtual machines for this record. 
Credentials in this record are used to scan these assets. 


Launch Help 


Edit Windows Record 


Record Title IPs 


Add IPs to your Windows record 
Login Credentials 
Enter or Select IPs/Ranges. Select IPs/Ranges | Select Asset Group | Remove | Clear 


IPs 10.1.0.133, 10.1.1.108 


Comments 


Display each IP/Range on new line 


Learn more about OS authentication 


Online help within the authentication record workflows provides detailed instructions and 
guidance on all available options. These documents are good resources 


Qualys Windows Authentication Guide (pdf) 
Qualys Unix Authentication Guide (pdf) 
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Configure security groups for the Azure virtual machines to be scanned 


In Azure, you must associate a security group that allows inbound access on all ports for 
the IP address of the scanner appliance or the security group of the scanner appliance. 


Tips and Best Practices 


Have Qualys Defined Networks? Move your Virtual Appliance 


This step is recommended if you've defined custom networks in your Qualys 
account. 


By default a new Virtual Scanner Appliance is placed in the Global Default 
Network and when a scan is performed, host scan data is added to that network. 
We recommend you move this Virtual Appliance to the desired network before 
scanning a custom network. 


Go to Assets > Networks, edit the network you want to move the Virtual 
Appliance to and add the appliance to that network. 


Internal Scanning using Virtual Scanner Appliance 
Scanning with pre-authorized scanner appliance involves following sequence of steps. 


1) Create a dynamic tag with Cloud Asset Search filters under “AssetView” app based on 
your requirements. 


For example: 
All running VMs in your Qualys Subscription: azure. vm.state: "RUNNING" 


All running VMs in your Azure Subscription: azure .vm. subscriptionId:<your Azure 
Subscription Id> and azure.vm.state: "RUNNING" 


All running VMs in a location: azure.vm.state: "RUNNING" and 
azure.vm.location:westus 


All running VMs in a resource group: azure.vm.state: "RUNNING" and 
azure.vm.resourceGroupName: testRG 


2) Extract IP addresses of machines returned by tags created in above step. You can extract 
it using Download or API Query to Host Assets. 


3) Add these IP addresses grouped as Asset Groups or individually as Host Assets under 
Assets tab in VM/VMDR. 


4) Configure OS Authentication records. 


5) Now, lets start scanning. Go to VM/VMDR > Scans > Scans > New > Scan (or Schedule 
Scan). 
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VMDR v 


Dashboard Vulnerabilities Prioritization Scans Reports Remediation 


(9) Scans Scans Maps Schedules = Appliances Option Profiles 
aa) ae oe ae 
Title oa A Targets 
EC2 Scan 

KEE No scan found matching your filters. Ple 
CertView Scan 
Cloud CertView Scan 
Schedule Scan 
Schedule EC2 Scan 
Schedule CertView Scan 
Schedule Cloud CertView Scan 


Host b 
Asset Group... 
Option Profile... 


Download... 


6) Identify your scan target. Click Assets to select a combination of asset groups and IP 
addresses to scan or click Tags to select one or more asset tags to scan. 
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General Information 


Give your scan a name, select a scan profile (a default is selected for you with recommended settings), and choose a scanner from the 
Scanner Appliance menu for internal scans, if visible. 


Title: azure_scan l | 

Option Profile: * Initial Options (default) | +h Select 
Processing Priority: 0 - No Priority v | 

Network: Global Default Network Y | 

Scanner Appliance: Í pyscand-quckh_ak v | B View 


Choose Target Hosts from 


Tell us which hosts (IP addresses) you want to scan. 
@ Assets © Tags 


Asset Groups 10.113.199.10-10.113.199.44 x xQ *h Select 
10.115.75.116-10.115.75.125 x 


IPs/Ranges | 2000:2a7:3b3d:7f29:fdd2:652d:d5bb:4147 *h Select 


Example: fe80::912e:21f6:887 e:fff1, fe80::912e:21f6:887e:fff2 


Exclude IPs/Ranges | +h Select 


Example: fe80::912e:211f6:887e:ffH1, fe80::912e:21f6:887 e:fff2 


7) That's it - just click Launch and you're done! 
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Internal Network Scanning using Qualys Cloud Agent 


Using our revolutionary Qualys Cloud Agent platform you can deploy lightweight cloud 
agents to continuously assess your Azure infrastructure for security and compliance. 


Cloud Agent features 


- Communicates to the Qualys Cloud Platform over port 443 and supports Proxy 
configurations. 


- Supports scanning a range of Linux and Windows OS versions 


We recommend these resources 


Qualys Cloud Platform 
Qualys Cloud Agent Getting Started Guide 


Get Started 
Navigate to the Cloud Agent (CA) app and install the Cloud Agent in minutes 


© Qualys. Enterprise 


Cloud Agent v 


Dashboard Agent Management 


@& Agent Management Agents MINE Configuration Profiles 


Saved Searches + 


Search... 
New Activation Key Turn help tips: On | Off 


y | Install New Agent | | Activation Jobs 
Create a new activation key 


An activation key is used to install agents. This provides a way to group agents and better manage your account. By defat 
Install New Agent to deploy this key is unlimited - it allows you to add any number of agents at any time. 


directly on the instance or 
embed into the AMIs 


Title AzureAGENT 


Select | Create 


Assign key and activate for ——— re 
applications (VM, PC, etc) 


Provision Key for these applications 


Asset Inventory 
Licenses managed by Al 
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Perimeter Scanning using Qualys External Scanners 


We provide the ability to scan public facing virtual machines in your Azure cloud 
environment using Cloud Perimeter Scanning for VM and PC. 


Qualys External Scanners (Internet Remote Scanners), located at the Qualys Cloud 
Platform are used for Perimeter Scanning of Azure virtual machines. For subscriptions on 
Private Cloud Platforms, your account may be configured to allow internal scanners to be 
used. 


These are DNS or IP -based scans launched using the public DNS or Public IP of the target 
virtual machines. If both public DNS and public IP address exist for your virtual machines, 
then we will launch a scan on public DNS. 


Requirements 


- The “Cloud Perimeter Azure VM Scan” feature must be enabled for your subscription. 
Please reach out to your Technical Account Manager or Qualys Support to enable this 
feature. You'll also need these features enabled: Cloud Perimeter Scanning, EC? 
Scanning, Scan by Hostname. 
- Cloud perimeter scans are available for VM and PC modules. Only Managers and Unit 
Managers have permission to configure cloud perimeter scans. 

- We allow you to create/update a cloud perimeter scan job through Cloud Perimeter Scan 
API even if no scan targets are resolved from the provided details. At the time of scan, if 
no scan targets are resolved from the provided details, the scan will not be launched, and 
we add the error in the Activity log and Run history of the schedule scan job. 


Get Started 


All cloud perimeter scans are scheduled - either for “now” (a one-time scan job) or 
“recurring”. Once saved, you'll see the scan job on the Schedules list. When the scan job 
starts it will appear on your Scans list. 


1) Create a dynamic tag with Cloud Asset Search filters under “AssetView” app based on 
your requirements. 


For example: 


All running public VMs in your Qualys Subscription: not azure. vm.publicIpAddress 
is null and azure.vm.state: "RUNNING" 


All running public VMs in your Azure Subscription: not azure.vm.publicIpAddress is 
null and azure.vm.subscriptionId: and azure.vm.state: "RUNNING" 


All running public VMs in a location: not azure.vm.publicIpAddress is null and 
azure.vm.state:"RUNNING" and azure.vm.location:westus 


All running public VMs in a resource group: not azure.vm.publicIpAddress is null 
and azure.vm.state:"RUNNING" and azure.vm.resourceGroupName: testRG 
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2) Now, lets start scanning. Go to VM/VMDR for a vulnerability scan (or PC for a 
compliance scan) and choose New > Cloud Perimeter Scan. You'll also see this option on 
the Schedules tab. 


Dashboard Scans Reports Remediation Assets 


LS SUE Scans Maps Schedules Appliances 


v | |New vw | | Search| | Filters v 
O Title Scan 
e | EC2 Scan j 
O C: Test123 | CertView Scan 
Cloud CertView Scan 
PCAP Scan 
Schedule Scan 
O @ Debug Sch schedule EC2 Scan 
O @ Test Sched Schedule CertView Scan 
Schedule Cloud CertView Scan 


O @ Debug Sch 
O O Sch Azure: 


O (O Cloud Perit 
Host d 
Asset Group... 


O A Pause Res 
Option Profile... 


O Scheduled 
o Download... 


LJ Scheduled 


3) In the Cloud Information tab, select the Azure icon to scan the Azure VM machines and 
lick Continue. 


New Cloud Perimeter Scan Tum help tips: On | Off Launch Help 


Provider: 


Scan Details 


Target Hosts amazon 


web Services A Azure 


Amazon Web Microsoft Azure 
Schedule & Notification Services 


Service: KA 


VM 


— 


Scanner 


Review 


Note: While updating the scan, you cannot change the Provider. We populate the values 
you selected at the time of creating the scan in Scan option profile settings. 
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4) Go to the Scan Details tab and give the scan a name and select the option profile and 
priority. 


5) Go to the Target Hosts tab to select the public facing Azure VM machines on which you 
want to run the Cloud Perimeter scan. From the Connectors drop-down, select an Azure 
connector. 


The Connector drop-down lists the connectors that you have configured in AssetView. 
Select asset tags to further filter the Azure VM assets fetched from the Azure connector. 


Note: The selected asset tag will scope the selected connectors assets and will not scan 
assets from under other connectors or non-connector based assets. 


For Azure VM scan, we do not support pulling load balancer DNS names from the 
CloudView module. 


New Cloud Perimeter Scan Tum help tips: On | Off Launch Help 
Cloud Information Target Hosts 
Scan Details Connector* Azure Connector 
Target Hosts > eneen, E 
We'll include the instances that match your tags 
Scanner 
Include hosts that have | Any y_ of the tags below. Add Tag 
Schedule & Notification { Test-176 
Review 
Do not include hosts that have ll y | of the tags below. Add Tag 


(EAN 
Tell us the DNS names for your Internet facing load balancers to include them in the scan 


[Remove Selected] [Remove All | [Add | 


canes 
sae 


6) Go to the Scanner and Schedule & Notification tabs to select the External/Internal 
scanner and schedule the scans. 


Note: By default, the external scanner appliance is selected. If internal scanner is enabled 
for cloud perimeter scan in your subscription, only then we allow you to select an internal 
scanner for the scan. 


We allow you to select internal scanner for the scan if using internal scanners for cloud 
perimeter scan is enabled for your subscription. 


7) Go to the Review tab. In the Target Hosts section, we will show you: 


73 


Securing Microsoft Azure with Qualys 
Scan Assets 


- how many public facing Azure VM assets are fetched from the connector, 
- assets that are qualified for the scan and 


- out of the qualified assets, how many assets are activated in VM on which the scan will 
be launched. 


New Cloud Perimeter Scan Tum help tips: On | Off Launch Help 
condition Please review the information and Schedule the scan 
Scan Details Cloud Information 
Provider: AZURE 
Target Hosts Connector”: QWEB Azure Connector 
Service: VM 
Scanner 
Schedule & Notification Title*: Cloud Perimeter Scan 20200817-112420 
Option Profile”: Initial Options (default) 


Target Hosts 


Load balancers DNS list: 


Assets Identified/Synched from Connector: 23 


Assets Qualified for scan: 9 
Assets Submitted to scan 8 
Scanner 


Scanner Appliance: External 


Cancel Submit Scan Job 


8) Finally, submit the scan job. 


The VM assessment results from Azure perimeter scans will be tracked to the virtual 
machine ID tracked asset. As a part of the scan option profile, the scanner tries to reach 
out the IPs and try to get to the virtual machines. 
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View Azure VM Tracked Host Assets in Host Assets 
Go to Assets > Host Assets > Filters to search for the Azure VM tracked assets. 


Host Information 10.0.1.36 


Sete a AN General Information 


Click the info button to view the cloud provider name (which is Azure for Azure VM 
assets), cloud service name (VM for Azure VM assets), and resource ID for the Azure 
Virtual Machine in the Host Information screen. The Cloud Asset Metadata tab shows the 
metadata information for the host. 


Cloud Inventory and Security Assessment 


This section describes about discovery of cloud inventory such as cloud assets and 
resources. It also describes about security assessment giving full visibility into the public 
cloud security posture of all assets and resources. 


Cloud Inventory 


Qualys Cloud Inventory continuously discovers and tracks assets and resources such as 
virtual machines, SQL databases, Network security groups, WebApps and others, across 
all regions and multiple subscriptions in Microsoft Azure and gives you an “at-a-glance” 
comprehensive picture of your cloud inventory and the location of assets across global 
regions. You can view all this information in one central place. 


Features: 


- Provides a quick overview of inventory via pre-built dashboards, and lets you personalize 
or build your own with custom widgets 


- Collects rich metadata for every resource and shows associations across resources, so 
you can understand scenarios such as what security groups are potentially public and 
unprotected, and which related assets this is impacting 
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@ Qualys. Enterprise 


CloudView REPORTS ` CONFIGURATION 


be 
o 
K 


DASHBOARD RESOURCES MONITOR POLICY 


Microsoft Azure v List View 


Q Search for resources discovered... This Month 


6 


Total Resource Types 


16th Jan 23rd Jan 


a 
SUBSCRIPTION 1D im 1-60f 6 - 
122 | 
| RESOURCE TYPE SERVICE TOTAL RESOURCES RESOURCES FAILED 
101 
deg SQL Servers 0 
sz) E SQL Server 7 
L 65 | 
4more SQL Server Database SQL Server Databases 9 0 
RESOURCE TYPE ($) Resource Group Resource Groups 12 0 
Network Security... 174 7 
A Virtual Network: 
Virtual Machine wa | <> Virtual Network irtual Networks 90 0 
Resource Group “m2 | i ` 
Virtual Network 30 Virtual Machine Virtual Machines 73 0 
SQL Server w | 
1 more y Network Security Group Network Security Groups 174 115 
LOCATION 
California 118 
Virginia 83 
Virginia 2 64 
Pune 61 
lowa 49 
20 more 


Cloud Security Assessment 


Qualys Cloud Security Assessment gives full visibility into the public cloud security 
posture of all assets and resources. Refer to CloudView Getting Started Guide for more 
details. 


Features: 
- Provides a quick overview of inventory and security posture via dashboards 


- Lets you personalize or build your own with custom widgets based on queries or on other 
criteria, such as “Top 10 accounts based on failures” and “Top 10 controls that are failing” 


- Out of box Azure policies like CIS Microsoft Azure Foundations Benchmark and Azure 
Best Practices Policy 


- Continuously assess and report on resource mis-configurations by checking against the 
controls from out-of-box policies 


- Build your own policies and customize controls to suit your need 


76 


Securing Microsoft Azure with Qualys 
Scan Assets 


- Ability to view, filter and export mis-configurations 


© Qualys. Enterprise 


CloudView D DASHBOARD RESOURCES MONITOR POLICY REPORTS CONFIGURATION 


Microsoft Azure v 


Last24Hrs v 


SECURITY POSTURE FAILURES BY CRITICALITY 


EAN | 1.88K | 1.16K 715 | 351 | gil 
Pass Fail High Medium Low 


POLICY 1-76 of 76 Ww 
CIS Microsoft Az. 70 7 = i y 
o dea 5 5 CID CONTROL NAME CRITICALITY SERVICE SECURITY POSTURE 
NSG-AZURE 1 50001 Ensure that Data encryption is set to ON for a SQL database SQL Servers 7 * 
CONTROL RESULT Policy : CIS Microsoft Azure Foundations Benchmark rl E 
FAIL 63 50002 Ensure no SQL Servers allow ingress from Internet (ANY IP) SQL Servers 1 1 
PASS 13 Policy : CIS Microsoft Azure Foundations Benchmark la 
50003 Ensure that Adaptive Application Controls is set to On Security Center 1 7 
SUBSCRIPTION ás 3 —_—_ 
= Policy : CIS Microsoft Azure Foundations Benchmark Total Resources: 8 
A 63 50004 Ensure that Automatic provisioning of monitoring agent is set to On Security Center 3 5 
= A 60 Policy : CIS Microsoft Azure Foundations Benchmark COPE 
== a 53 
mm. — 47 50005 Ensure that System updates should be installed on your machines is setto. MEM Security Center 1 7 
Y 3 more Policy : CIS Microsoft Azure Foundations Benchmark ze? cra 
50006 Ensure that Vulnerabilities in security configuration on your machines shou... SecurityCenter 1 7 
g you ity 
licy : CIS Microsoft Azure Foundations Benchmark press 
Security Center 25 Policy: Total Resources: 8 
Monitor 10 m SSES 5 = 7 8 
50007 Ensure that Monitor missing Endpoint Protection in Azure Security Center! Security Center 1 7 
SQL Servers 7 5 í À —— 
PostgreSQL server = Policy : CIS Microsoft Azure Foundations Benchmark Total Resources: 8 


77 


Securing Microsoft Azure with Qualys 
Scan Assets 


Securing Web Applications 


Using Qualys you can secure Applications using Application Scanning and Firewall 
solutions. 


Policy Compliance 
PC Define and monitor IT security standards aligned with 
regulations 


Security Assessment Questionnaire 
Automate risk and compliance through questionnaire 
campaigns 


PCI Compliance 
PCI Achieve compliance with the PCI Data Security 
Standard (DSS) 


Web Application Scanning 


WAS 


Reporting 


Web Application Firewall 
Detect attacks and protect your web applications 


Malware Detection 
Scan and Monitor Your Sites for Malware Infections 


Qualys WAS 


Qualys Web Application Scanning (WAS) provides automated crawling and testing of 
custom web applications to identify application and RESTAPI vulnerabilities including 
cross site scripting (XSS) and SQL injection. To get started install the Qualys Virtual 
Scanner Appliance that's pre-authorized by Azure. This is the same appliance used to scan 
for vulnerabilities and compliance checks. 


How do I get started? 
- Follow the steps in Deploying Qualys Scanner via CLI 
- Then review instructions in Qualys Web Application Scanning Getting Started Guide. 


Qualys WAF 


Protect applications with firewall rules and instant virtual patches using Qualys Web 
Application Firewall (WAF). 


How do I get started? 
- Install the Web Application Firewall Appliance available on the Azure 
- Then review instructions in Qualys Web Application Firewall Getting Started Guide. 
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Securing Containers 


Qualys Container Security provides discovery, tracking and continuously protecting 
container environments. This addresses vulnerability management for images and 
containers in their DevOps pipeline and deployments across cloud and on-premise 
environments. 


Qualys Container Security supports: 

- Discovery, inventory and near-real time tracking of container environments 
- Vulnerability analysis for images and containers 

- Vulnerability analysis for registries 


- Integration with CI/CD pipeline using Jenkins/Bamboo Plugins or REST APIs (DevOps 
flow) 


© Qualys Enterpr 


Container Security HOME DASHBOARD ASSETS 


Container Security Overview v 


Last 30 Days e (+) 


TOTAL IMAGES TOTAL CONTAINERS 


CONFIGURATIONS 20% 


328 604 


IMAGE DISTRIBUTION BY VULNERABILITY SEVERITY CONTAINER DISTRIBUTION BY VULNERABILITY SEVERITY 


IMAGE DISTRIBUTION BY REGISTRY CONTAINER DISTRIBUTION BY STATE 


169 
docker.io 138 PS 


Refer Qualys Container Security User Guide for more details. 


3 
e 
G 
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Deploying Container Sensor 


The sensor from Qualys is designed for native support of Docker environments. Sensor is 
packaged and delivered as a Docker Image. Download the image and deploy it as a 
Container alongside with other application containers on the host. 


Since they are docker based, the sensor can be deployed into orchestration tool 
environments like Kubernetes, Mesos or Docker Swarm just like any other application 
container. 


Refer Qualys Container Security Deployment Guide for more details. 


80 


81 


Securing Microsoft Azure with Qualys 
Scan Assets 


Securing Microsoft Azure with Qualys 
Analyze, Report & Remediate 


Analyze, Report & Remediate 


This section covers - how to query assets, build widgets and dashboards, and then how to 
generate vulnerability reports on Azure assets. 


How to Query Azure Assets 


Our advanced search capabilities help you to quickly find all about your assets all in one 
place. Choose the AssetView app and go to the Assets tab. This is where you'll see an 
inventory of all your scanned assets. Say you want to find all your Azure assets. Type 
provider and select Azure from the drop-down menu. 


AssetView {v 4 
Dashboard Assets Templates 
— ~ k 
t== AssetView Assets Tags 
Saved Searches + 
provider: A. MÄI 0 
DH 
E? 
AWS d 
Syntax Help 
er Type your query here provider 
Azure Select the name ##### of a cloud service provider you're looking for. Select from names in the 
drop-down menu. is 
Examples 
Show assets synced from Amazon AWS 
provider: 
o 100615-MM.local e MacOSX 10.13.4 root Inventory Scan Complete 


You can search many Azure asset properties. Start typing Azure and you'll see a list Azure 


asset properties (tokens) you can use to search. Hover over the token name to see syntax 
help to the right. 


AssetView { 


Help w Giriraj Kamble w Log out 
Dashboard Assets Templates 
DË? Lë 
s== AssetView Assets [MERO 
Saved Searches + Assets 
az [>] Search 84 
EBuretags 
Syntax Help vv 
Bure Lage name azure.tags 
FBure.tags.value Use a text value ##### to find Azure instances with a certain tag name and value. Both are 
case insensitive is Tags 


Bus vm.imageOfter 


EBure.vm.imagePublisher 


EZure.vm.imageVersion 
FEure.vm.location 


Bue vm.macáddress 


10.113.19 


ip-172-30-1-160 


localhost.localdomain 


A Oracle Enterprise Linux 5.9 


2” Amazon Linux 2017.09 


Example 
Find Azure instances with a tag with name "abc" and value "xyz" Cloud Agent 


azure.tags 


Cloud Agent 


E root Inventory Scan Complete Cloud Agent 
4 minutes ago 
ec2-user Inventory Scan Complete Cloud Agent 
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View Asset Details Anytime 


The latest vulnerability and compliance data is always available in your assets inventory. 
Just select the asset name and choose View Asset Details from the quick actions menu. 


AssetView { M Helpw Giriraj Kamble w Logout 


Dashboard Assets Templates 


= AssetView Assets ZE 


Saved Searches +» IS create widget save savess undo Search Actions * Assets 

provider:"Azure" 0 Search 7 

Gees H se. 
Asset Name os Modules Last Logged-In User Activity Sources Tags 


tacna | 
——ehiterpri O E E agent 


10.0.0.6, 1e80:0:0:0-20d-3afFfef2] Add Tags 


— slest2-new % SUSE Linux Enterprise Server 12 SP3 a EN agent Scan Complete oa [cloud Agent ` 


Save Query 


Easily save your searches for reuse and share them with other users. 


AssetView { EA ` Hepw  GirirajKamble w Logout 


Dashboard Assets Templates 


= AssetView Assets Tags 


Saved Searches ~ ceste wao save) aveas undo Search Actions > Assets 
I 
|provider:"Azure” 
[Actions] [Group assets by. y 
Asset Name os 
Saved Searches 
mel73 A Red Hat Enterprise Linux Server 7.3 


fe30:0:0:0:20d:3aftfef2:aaad, 10. Saved Searches allow you to quickly navigate from one search filter to another. 


Search Title” [') REQUIRED FIELDS 


[My Azure assets o O 


À SLES12 S SuSE Linux Enterprise Server 
10.0.0.6, fe80:0:0:0:20d:3aff:fef2:. 


Add this search to your favorites 
Æ Share this search with others 
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Download and Export Results 


It just takes a minute to export search results. Select Download from the Tools menu. Next 
choose an export format and click Download - choose from multiple formats. 


AssetView {v 


Help w Log out 
Dashboard Assets Templates 
— R 
s= AssetView Assets Tags 
Saved Searches ~ create widget save H Assets 
a @ search 10 
Group assets by y yee 
O Asset Name os Modules Last Logged-In User Activity Sources Tags = 
[ mina O A Red Hat Enterprise Linux Server 7.3 Dates Deuniond è 
Select Download Format 


A Ubuntu1710 (O Ubuntu Linux 17.10 
fe80:0:0:0:20d:3aff:fef2:5abe, 10. 


EH Comma-Separated Value (CSV) 
Extensible Markup Language (XML) 
Portable Document Format (PDF) 

Sa Microsoft Word (DOC) 
| Compressed HTML pages (ZIP) 


Web Archive (HTML) - For Internet Explorer > 7 or any modern browser 


tes included in the report 


(GMT -07:00) GMT-07:00 (GMT-07:00 Etc/GMT+7) 


coc 


Create Widget 


You can create a widget based on your query and add it to your dashboard. For example, 
first search for Azure assets that have not been scanned for vulnerabilities using Qualys 
VM for a month. Here's your query: 


provider:"Azure" AND NOT lastVmScanDate: [now-30d..now-1s] 


Then choose Create widget. Add a title, you'll see your query is populated for you, just one 
click to add to your dashboard. 
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AssetView { Help w ze Logout 


Dashboard Assets Templates 


= AssetView Assets Tags 


Saved Searches ~ _ <> ” Assets 
RELELI 
. 


provider:"Azure" AND NOT lastVmScanDate: [now-30d..now-1s] > @ Search 1 
Group assets by. 


Oo Asset Name Select data for your widget using the form below ` "ir" Customize the way that your widget looks 


D dev-centos-agent-azure 


Oe SL » 
10.240.0.76 | centos-agent.c.qvs. g 
Au o asses 
Pie 


Bars 
Widget Title” 
Untitled Widget 


Query 
provider:"Azure” AND NOT lastVmScanDate: [now-30d..now-1s] 


Comparison 
‘Compare with another reference query 
Trending 
Collect trend data 
Add conditional formatting... ~ 


Note : Last rule will be applied if more than one rules are applicable. 


Click here to add to 
dashboard 


| Previous ) Add to Dashboard 


Creating Reports 
You can create many different reports on vulnerabilities in the Qualys VM app. 


Go to VM/VMDR > Reports > New > Scan Report > Template Based. There are many report 
templates to choose from, or you can create your own. Try the Technical Report to see full 
vulnerability details in your report. 


VMDR > 


Dashboard Vulnerabilities Prioritization Scans Reports Re 


till Reports Reports Schedules Templates Risk Analysis 


v New w | | = | | ÉS y 


` ` View Report T Scan Report $ » { Template Based... ate 
Scorecard Repsrt... PCI Scan Template... 
Map Report... F 
| Patch Report... 
Authentication Report 


Remediation Report.. 
Compliance Report... 
Asset Search Report... 


Download... 
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Want to report on compliance data? No problem. Choose PC from the module picker. Then 
go to Reports > New > Compliance Report, and pick the report you’re interested in. 


Dynamic Tagging Using Azure Attributes 


Create dynamic tag rules to tag your Azure virtual machines based on Azure metadata as 
collected by the Azure Connector. For each tag rule you'll provide a search query with 
Azure instance information. 


It's easy to get started! 1) Click New Tag, 2) choose the Cloud Asset Search tag rule, 3) 
select the cloud provider, and 4) enter your query. Just start typing in the Query field and 
we'll show you the Azure attributes you can search. 


AssetView 


Dashboard Assets Templates Connectors 


[= AssetView 


Assets Tags AN 


Tag Creation 
E o nm 
|> FiterResuts e| Azure - t Step 2 of 3 Set the tag type and rules 
Quick Filters 
jest 1 Tag details wv Rule Engine Sieste 
[CJ Not in Use — 
Deg Leen O Rue 9 AAA x 
S a g 'eview And Confirm Chud Provider” 
3 Review And Confi A. - 
O GE MC_hkkube_hkaks2 eastus 
Test Rule Applicability on Selected Assets 
Add Asset: Select an asset y (GQ Test Applicability 
Sample queries 
Find Azure virtual machines located in East US region: azure.vm.location: eastus 
Find Azure virtual machines with specific group name: azure . vm. resourceGroupName: 
MC_hkkube hkaks2 eastus 
Find Azure virtual machines of standard size: azure.vm.size: Standard* 
Find Azure virtual machines based on IPs (comma-separated list or range): 


azure.vm.publicIpAddress: [104.211.13.0 104.211.13.255] 


azure.vm.privatelpAddress: [10.95.0.0... 10.95.0.255] 


Find Azure virtual machines for specific subscription ID: azure.vm.subscriptionld: 
1d767489-da0c-4948-a285-bf2c708c0586 


Find Azure virtual machines for specific tags: azure.tags: (name: owner and 


value: amy) 
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Manage Assets Using Qualys 


Here’s some best practices and tips for organizing assets to help you secure Azure 
infrastructure using Qualys. 


Setting up Qualys Configurations 


Asset Groups - Organize assets into meaningful groups and assign them to sub-users. 
Asset groups are required when you have multiple users i.e. Scanner, Reader, Unit 
Manager (if business units are defined). The same IP address can be included in multiple 


asset groups. 


(9) Assets Asset Groups Host Assets Asset Search Virtual Hosts Domains Networks Applications > 
v| (New | [Search| | Fiters x 1-20 of 38 DES 
Title IPs Domains Appliances Business Impact User Modified~ 
My Asset Group 10.10.10.4-10.10.10.255 0 High Jason Kim 02/10/2017 A 
Windows 2003 Server Asset Group 10.10.25.12 o High Victor Smith 02/12/2014 


Business Units - Organize users and assets into business units in a way that matches your 
organization. This gives Managers the ability to grant users role-based permissions in the 
context of their assigned business unit. The same IP address can be included in multiple 


business units. 


(5 Users Users Business Units Distribution Groups Activity Log Setup 


v | New w | | Search | 1-30f3 Mev 
Title + Primary Contact Users Modified 
Asia Carla Ming 5 08/26/2016 
Europe Eric Conrad 2 05/07/2009 


Networks - Organize discrete private IP networks to keep overlapping IP blocks separate. 
When configured Qualys tracks IPs by network and IP address. Keep in mind... An IP 
address must be unique to your subscription or a single network. 


VMDR v 


Dashboard Vulnerabilities Prioritization Scans Reports Remediation Assets KnowledgeBase Use 


‘= Assets Asset Groups Host Assets Asset Search Virtual Hosts Domains Networks 


| New y | | Search| 


Title e Created By 


Global Default Network (default) System 
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Removing Terminated Virtual Machines- You can remove terminated virtual machines 
from your Qualys account. Go to VM/VMDR or Policy Compliance > Assets > Asset Search 
and select the assets with tracking method as IP address. You could also add more 
parameters to refine your such as Last Scan Data not within x days and so on. 


VMDR v 


Dashboard Vulnerabilities Prioritization Scans Reports Remediation 


Asset Search Virtual Hosts 


6 Assets 


Asset Groups ` Host Assets 
Example: 192.168.0.87-192.168.0.92, 192.168.0.200 


( Include asset group titles in results 


With the following attributes 


Assets KnowledgeBase 


Domains Networks 


DNS Hostname: 


EC2 Instance ID: 


NetBIOS Hostname: 


Tracking Method: 


Operating System: 


Open Ports: 


Running Services: 


EC2 Instance status: 


ES 


beginning with Y 


beginning with Y 


beginning with Y 


IP address Y 

RUNNING M 

beginning with M | Eve 
*h Select 
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Click Search and then select the assets from the results. From the Actions drop-down, 
select Purge. This results in removal of assets along with their associated data from the 


module. 


| [ Asset Search Report - Google Chrome 


@ Qualys, Inc. [US] | 


Asset Search Report 


Filey Help» 


| Actions: | Edit (Apply 


Add to Asset Groups 
Add All to Asset Groups 

Add to a new Asset Group 

g Add All to a new Asset Group 

Remove from Asset Groups 

i| Remove All from Asset Groups A 

Launch Vulnerability Scan ervices Pvt. Ltd, S 
Launch Vulnerability Scan on All 1005 

Launch Compliance Scan 

Launch Compliance Scan on All 

Schedule Vulnerability Scan 

Schedule Vulnerability Scan on All 

Schedule Compliance Scan 

Schedule Compliance Scan on All 

Launch Vulnerability Scan Report 

Launch Vulnerability Scan Report on All 


Excluded (any ): 


Uninstall agents 


Consider a scenario where you have deployed cloud agents on your Azure assets and you 
want to uninstall agents not checked-in for last N days, you can use the API call. 


Request: 
curl -u "USERNAME: PASSWORD" -X "POST" -H "Content-Type: text/xml" 
-H 
"Cache-Control: no-cache" --data-binary 


Quninstall_agents_not_checkedin.xml 
"https://qualysapi.qualys.com/qps/rest/2.0/uninstall/am/asset/" 


Contents of uninstall_agents_not_checkedin.xml: 


<?xml version="1.0" encoding="UTF-8" ?> 


<ServiceRequest> 
<filters> 


<Criteria field="tagName" operator="EQUALS">Cloud Agent</Criteria> 
<Criteria field="updated" operator="LESSER">2016-08- 


25T00:00:01Z2</Criteria> 
</filters> 
</ServiceRequest> 


For more information on Cloud Agent APIs, refer to our Cloud Agent API User Guide. 
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Common Questions 


Queries Solutions 

How to view platform You'll see the platform provider info for a virtual scanner appliance 

provider info on virtual that’s been deployed in Azure (or another cloud platform) within 

scanner appliances? your Qualys account. You'll see this info in the General Information 
section when you view or edit the appliance (from Scans > 
Appliances). 

I have Azure connector To launch Cloud Perimeter scan for Azure VMs, make sure you have 

available, but not able see enabled 'Cloud Perimeter Azure VM scan' option for your Qualys 

Azure option in Cloud account. To enable this option, reach out to Qualys support. 

Perimeter scan. 

Troubleshooting Qualys Scanner Appliance must make regular connections to the 

connectivity Qualys Cloud Platform over HTTPS. Please be sure to resolve 


connectivity issues to ensure proper functioning of your appliance. 
The Communication Failure message appears if there is a network 
breakdown between the scanner and the Qualys Cloud Platform. 
The communication failure may be due to one of these reasons: the 
local network goes down, Internet connectivity is lost for some 
reason, or any of the network devices between the scanner and the 
Qualys Cloud Platform goes down. 


The Network Error message indicates the Scanner Appliance 
attempted to connect to the Qualys Cloud Platform and failed. 
You'll see an error code and description to help you with 
troubleshooting. Errors can be related to the proxy server and 
connection errors with Qualys Cloud Platform. The Qualys Cloud 
Platform logs results of connectivity checks and overall 
personalization process on the Azure System Console. 


If you see “No connectivity to qualysguard.qualys.com - please fix.” 
messages, please verify that your VPN Network ACLs and Security 
Groups allow outbound HTTPS (TCP port 443) access. If you are 
using a proxy server, ensure that the scanner can reach the proxy 
server, and that the proxy server can access the Qualys cloud 
platform. 
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